Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://update.microgate.it/optojump/optojumpnext.exe

Overview

General Information

Sample URL:https://update.microgate.it/optojump/optojumpnext.exe
Analysis ID:1522627
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Drops large PE files
Installs new ROOT certificates
Sigma detected: New RUN Key Pointing to Suspicious Folder
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6496 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 6636 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • optojumpnext.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\download\optojumpnext.exe" MD5: 16EDDCB330DB5178466D38E3D775FDC0)
    • setup.exe (PID: 4128 cmdline: "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" MD5: 94498086DC1825A3AF3044BE5F4B5E92)
      • setup.exe (PID: 692 cmdline: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_temp MD5: 94498086DC1825A3AF3044BE5F4B5E92)
        • msiexec.exe (PID: 1432 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • vcredist_x86.exe (PID: 2936 cmdline: "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" /q MD5: CEDE02D7AF62449A2C38C49ABECC0CD3)
          • Setup.exe (PID: 6684 cmdline: c:\1adc35b2a430ffb6f8fdcb\Setup.exe /q MD5: 9A1141FBCEEB2E196AE1BA115FD4BEE6)
        • msiexec.exe (PID: 500 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi" /q /norestart MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 1888 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4324 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 80DCE7E404A3D2C744ABC8DE5968C142 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • setup.exe (PID: 2664 cmdline: "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" MD5: 94498086DC1825A3AF3044BE5F4B5E92)
  • setup.exe (PID: 5184 cmdline: "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" MD5: 94498086DC1825A3AF3044BE5F4B5E92)
    • setup.exe (PID: 5684 cmdline: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}" /IS_temp MD5: 94498086DC1825A3AF3044BE5F4B5E92)
  • msiexec.exe (PID: 4932 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2112 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1AA463F152CC7C817FC4EBBAEC5BC88D MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2360 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2150726FCB1B5064F395F524C5BCA25E E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: New RUN Key Pointing to Suspicious Folder
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe, ProcessId: 692, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ISSetupPrerequisistes
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe, ProcessId: 692, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ISSetupPrerequisistes
Sigma detected: Suspicious Execution From GUID Like Folder Names
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart, CommandLine: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_temp, ParentImage: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe, ParentProcessId: 692, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart, ProcessId: 1432, ProcessName: msiexec.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5828, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1, ProcessId: 6496, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240930_074606050-MSI_vc_red.msi.txt
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1049\eula.rtf
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\EULA_ENU.rtf
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcr80.dll
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3da3de.pdb source: p3da3de.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\prompt_res_pt.pdb source: prompt_res_pt.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u312fren.pdb source: u312fren.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\DTSagent.pdb source: dtsagent.dll.13.dr
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 00000014.00000002.4720160753.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86.exe, 00000014.00000000.4617263282.0000000001002000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 00000015.00000002.4714455712.000000006F6F1000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, 00000015.00000002.4713504272.000000006BBE1000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_pdf_res_sk.pdb source: crxf_pdf_res_sk.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3da3ru.pdb source: p3da3ru.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\x3frchu.pdb source: x3frchu.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\reportrenderer_res_en.pdb source: reportrenderer_res_en.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u3lfres.pdb source: u3lfres.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_rtf_res_fi.pdb source: crxf_rtf_res_fi.dll.13.dr
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: 4154ca.msi.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3dbtko.pdb source: p3dbtko.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\ParameterDesigner_res_zh_CN.pdb source: ParameterDesigner_res_zh_CN.dll.13.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: setup.exe, 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3716732649.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.4744250125.0000000000815000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000000.3756341549.0000000000815000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 0000000F.00000000.3948530982.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000002.4027587700.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000000.3963127945.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000013.00000002.4064250213.0000000000875000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000013.00000000.4010728428.0000000000875000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_rtf_res_en.pdb source: crxf_rtf_res_en.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\x3fsvit.pdb source: x3fsvit.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\crdb_adoplus_res_tr.pdb source: crdb_adoplus_res_tr.dll.13.dr
Source: Binary string: Setup.pdb source: Setup.exe, 00000015.00000002.4710518061.0000000000FF1000.00000020.00000001.01000000.0000000B.sdmp, Setup.exe, 00000015.00000000.4640088888.0000000000FF1000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u3ldtfr.pdb source: u3ldtfr.dll.13.dr
Source: Binary string: SetupResources.pdb source: SetupResources.dll8.20.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\System32\msiexec.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004014B7 wsprintfA,FindFirstFileA,FindClose,9_2_004014B7
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_00404BA4 lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,lstrcpyA,lstrlenA,RemoveDirectoryA,9_2_00404BA4
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,10_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,10_2_00AE7E01
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007C7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,11_2_007C7E01
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007B168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,11_2_007B168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,15_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,15_2_00AE7E01
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,18_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,18_2_00AE7E01
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\pftF363~tmp\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\plfE613.tmpJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\Jump to behavior
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Setup.exe, 00000015.00000003.4646527142.0000000001560000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4650331801.0000000002F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
Source: Setup.exe, 00000015.00000003.4650937017.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4659920159.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4654482957.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4655826903.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4649641284.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4648140830.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4653273666.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4656053383.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4652247117.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4657314983.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4651994437.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4658562400.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4653464695.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4658361799.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4657105610.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4648283732.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4650735571.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4649441437.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4654670763.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4660132574.0000000001620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe, 00000013.00000002.4064546490.0000000000FF4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://saturn.installshield.com/devstudio/setuprequirements/sqlce35sp2/SSCERuntime_x64-ENU.msi
Source: setup.exe, 00000013.00000003.4017088826.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000013.00000003.4019306480.00000000015D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://saturn.installshield.com/is/prerequisites/Microsoft
Source: setup.exe, 00000013.00000003.4063946010.00000000015CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://saturn.installshield.com/is/prerequisites/microsoft
Source: 4154ca.msi.13.drString found in binary or memory: http://support.businessobjects.com/ARPREADMEBOBJ_NAMEBusiness
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Code39AzaleaRegular1.ttf.13.dr, Code39AzaleaWide3.ttf.13.dr, Code39AzaleaRegular2.ttf.13.drString found in binary or memory: http://www.azalea.com
Source: CrystalDecisions.Web.resources.dll7.13.drString found in binary or memory: http://www.businessobjects.com/ipl/default.asp?destination=PoweredByBusinessObjectslogo&language=EN
Source: setup.exe, setup.exe, 00000012.00000002.4027587700.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000000.3963127945.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000013.00000002.4064250213.0000000000875000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000013.00000000.4010728428.0000000000875000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drString found in binary or memory: http://www.sap.com0
Source: wget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exe
Source: wget.exe, 00000002.00000003.3494619687.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.3494982114.0000000002B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exeD
Source: wget.exe, 00000002.00000002.3494877748.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exeEO
Source: wget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exeO
Source: wget.exe, 00000002.00000002.3494877748.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exeOCC
Source: wget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.microgate.it/optojump/optojumpnext.exeto

System Summary

barindex
Drops large PE files
Source: C:\Windows\SysWOW64\wget.exeFile dump: optojumpnext.exe.2.dr 263455292Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,10_2_00B0A45C
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007EA45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,11_2_007EA45C
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,15_2_00B0A45C
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,18_2_00B0A45C
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4154ca.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6267.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62D5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{4A10D640-13F1-4A13-BAD1-3E3790511B17}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C5C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451318.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451318.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451318.0\ATL80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451318.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451349.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451349.0\8.0.50727.4053.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451349.0\8.0.50727.4053.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcm80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcr80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcp80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451474.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451474.0\8.0.50727.4053.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451474.0\8.0.50727.4053.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.0\8.0.50727.4053.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.0\8.0.50727.4053.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHT.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80DEU.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ESP.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ENU.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHS.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ITA.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80FRA.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80JPN.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80KOR.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451756.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451756.0\8.0.50727.4053.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451756.0\8.0.50727.4053.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451771.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451771.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451771.0\vcomp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451771.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451802.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451802.0\8.0.50727.4053.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451802.0\8.0.50727.4053.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcr71.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp71.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZQM54W9Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZQM54W9\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CS7YDD0WJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CS7YDD0W\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\R5WHX29HJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\R5WHX29H\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XWP3DVNZJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XWP3DVNZ\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GZUMVK9DJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GZUMVK9D\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BFUG8TWTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AOPA0BQXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\J8QK6M3PJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\J8QK6M3P\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZP2Y2ZJKJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZP2Y2ZJK\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FP6BNFUHJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\JXBYBJ65Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAU4NKYBJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YB00TSL7Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YB00TSL7\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2W0MXMUJJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2W0MXMUJ\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PUU3CUJDJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PUU3CUJD\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4Q5PEM8PJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5Q78957SJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UZ6MWTDPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UZ6MWTDP\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ROD5FRDXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PGVPZCZGJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PGVPZCZG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UWK7THG6Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UWK7THG6\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4W184EXTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HW8U3FG6Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HW8U3FG6\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A2OG2MOWJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A2OG2MOW\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TEHOMAIVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TEHOMAIV\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HZ7D1KIOJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HZ7D1KIO\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XU5MHCJXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XU5MHCJX\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\V1SUYTKJJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\V1SUYTKJ\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DDU0R7DQJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DDU0R7DQ\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\94KTCR94Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\94KTCR94\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BIB90YD4Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BIB90YD4\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1CKS4AMXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1CKS4AMX\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\13S0U6ARJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\13S0U6AR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7CZXGZYMJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7CZXGZYM\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\VMEZVSEDJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\VMEZVSED\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TKKJ6ZUVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TKKJ6ZUV\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QT2RWY2DJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QT2RWY2D\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZTAKVG3Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZTAKVG3\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5CRZCV7KJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5CRZCV7K\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\8FDXG7H9Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\8FDXG7H9\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W5WARI3LJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W5WARI3L\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DSI3AZ9EJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DSI3AZ9E\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\L8P4QM9NJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\L8P4QM9N\CrystalDecisions.Data.AdoDotNetInterop.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3HY15T7IJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3HY15T7I\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1T4IL8URJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1T4IL8UR\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LD3T68X8Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LD3T68X8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BMXRJQCZJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BMXRJQCZ\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CD5M7MAGJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CD5M7MAG\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SPSEFXL9Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SPSEFXL9\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I4QW3CEVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I4QW3CEV\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\RG4F0JCMJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\RG4F0JCM\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W2ZGPH3QJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W2ZGPH3Q\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QMBNXHI2Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QMBNXHI2\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\C7SSKPR8Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\C7SSKPR8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\25RQY8K1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\25RQY8K1\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A0O7M7F3Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A0O7M7F3\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PLA4ZRXIJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PLA4ZRXI\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3M12KTOSJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3M12KTOS\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5GC0E921Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5GC0E921\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OKXS34X7Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OKXS34X7\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4DVQWAVNJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4DVQWAVN\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IOY7IAUWJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IOY7IAUW\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LHA4ZL45Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LHA4ZL45\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CF021TEEJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CF021TEE\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MZ32PGJ9Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MZ32PGJ9\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\R9DU8YEOJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\R9DU8YEO\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SCSFKCC2Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SCSFKCC2\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\89XKOITCJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\89XKOITC\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OMHCQ89TJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OMHCQ89T\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7NXAF55TJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7NXAF55T\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ELW9QFV0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ELW9QFV0\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\NIBV2Z0HJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\NIBV2Z0H\SAPBusinessObjects.WPF.Viewer.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CKFTFLP8Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CKFTFLP8\SAPBusinessObjects.WPF.ViewerShared.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LAK3XT79Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LAK3XT79\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AR1KKX80Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AR1KKX80\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\6GFRFF48Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\6GFRFF48\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HN3U1S8AJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HN3U1S8A\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OLJPE8JFJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OLJPE8JF\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\500JZZ2VJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\500JZZ2V\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2S7N8N72Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2S7N8N72\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZUV7L9XGJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZUV7L9XG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GY1RAU4QJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GY1RAU4Q\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GKGBKZ9GJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GKGBKZ9G\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\RHB73OA8Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\RHB73OA8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\WYIXTXJ5Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\WYIXTXJ5\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OH33CV1OJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OH33CV1O\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMFID46AJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMFID46A\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\90Z80RUVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\90Z80RUV\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ENF1EFCRJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ENF1EFCR\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OCZOYL0GJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\OCZOYL0G\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3PZ3EP0VJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3PZ3EP0V\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CSPYIF0JJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CSPYIF0J\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3RUR1KC3Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3RUR1KC3\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\B0THVN5DJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\B0THVN5D\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\47AP810YJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\47AP810Y\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DBI6RIARJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DBI6RIAR\CrystalDecisions.CrystalReports.Engine.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\32GZOA1OJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\32GZOA1O\CrystalDecisions.CrystalReports.TemplateEngine.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CAO5BCLTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CAO5BCLT\CrystalDecisions.Enterprise.Viewing.ReportSource.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7J294QCDJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7J294QCD\CrystalDecisions.ReportAppServer.ClientDoc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PD9USU03Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PD9USU03\CrystalDecisions.ReportAppServer.CommLayer.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\M48V42DKJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\M48V42DK\CrystalDecisions.ReportAppServer.CommonControls.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4EMXFIJWJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4EMXFIJW\CrystalDecisions.ReportAppServer.CommonObjectModel.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I6B7UV3IJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I6B7UV3I\CrystalDecisions.ReportAppServer.Controllers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LX5X0FTGJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LX5X0FTG\CrystalDecisions.ReportAppServer.CubeDefModel.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TH63W2H7Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TH63W2H7\CrystalDecisions.ReportAppServer.DataDefModel.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AGX0JH5Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AGX0JH5\CrystalDecisions.ReportAppServer.DataSetConversion.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AJSKH13Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AJSKH13\CrystalDecisions.ReportAppServer.ObjectFactory.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\M9Z0CZ2JJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\M9Z0CZ2J\CrystalDecisions.ReportAppServer.Prompting.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\82L4AQMRJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\82L4AQMR\CrystalDecisions.ReportAppServer.ReportDefModel.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1XYR0F81Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1XYR0F81\CrystalDecisions.ReportAppServer.XmlSerialize.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\83F1VE8QJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\83F1VE8Q\CrystalDecisions.ReportSource.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5HIHY4WYJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5HIHY4WY\CrystalDecisions.Shared.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AGS2FQAJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AGS2FQA\CrystalDecisions.Web.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1MKXI5WKJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1MKXI5WK\CrystalDecisions.Windows.Forms.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I33UODHTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I33UODHT\FlashControlV71.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZVYCS3MVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZVYCS3MV\ShockwaveFlashObjects.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CKUB02IXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CKUB02IX\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SNTZXQOTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SNTZXQOT\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UBS9JMWPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UBS9JMWP\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\6P158FLGJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\6P158FLG\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IHBATNLVJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IHBATNLV\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZM513EK9Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZM513EK9\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVDEAF2RJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVDEAF2R\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3GW8YO88Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3GW8YO88\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W7Q0HZGXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W7Q0HZGX\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\30N3WX19Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\30N3WX19\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1AELXKO8Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1AELXKO8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\X6A06IXJJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\X6A06IXJ\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVG5ATTPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVG5ATTP\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I1TPN99TJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I1TPN99T\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XZ3MQY35Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XZ3MQY35\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2K4E0C4UJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2K4E0C4U\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1LOQFF02Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1LOQFF02\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GEP0GRHPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GEP0GRHP\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DX882I59Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DX882I59\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMB0YI5CJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMB0YI5C\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BPRF5OW4Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BPRF5OW4\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZYNEE3D7Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZYNEE3D7\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IW0B00FSJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IW0B00FS\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\Y8KR065EJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\Y8KR065E\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\WB6G0Y3XJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\WB6G0Y3X\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SUJDWFDTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SUJDWFDT\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5MAPX3H3Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5MAPX3H3\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XCQLWY24Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XCQLWY24\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\L3YZHJ6MJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\L3YZHJ6M\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\04EPIMFSJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\04EPIMFS\SAPBusinessObjects.WPF.Viewer.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TCQAAL8AJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TCQAAL8A\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T76IREKOJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T76IREKO\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7V40OPR0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7V40OPR0\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TUU5W1JNJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TUU5W1JN\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EAYEYQTDJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EAYEYQTD\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FAPUGZ0VJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FAPUGZ0V\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LT7D5TSWJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LT7D5TSW\CrystalDecisions.Web.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5SE3X7ONJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5SE3X7ON\CrystalDecisions.Windows.Forms.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\716D6ZORJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\716D6ZOR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HNRJ4BDWJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HNRJ4BDW\CrystalDecisions.ReportSource.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAVVA0FXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAVVA0FX\CrystalDecisions.Shared.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YRD2FLCKJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YRD2FLCK\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SAWDPFMUJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SAWDPFMU\CrystalDecisions.VSDesigner.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6267.tmpJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004105DD9_2_004105DD
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040FE4E9_2_0040FE4E
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040CE7F9_2_0040CE7F
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B1009010_2_00B10090
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B1C17010_2_00B1C170
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFC53710_2_00AFC537
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AC882910_2_00AC8829
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFCE5110_2_00AFCE51
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA930010_2_00AA9300
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B017B510_2_00B017B5
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA974010_2_00AA9740
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA9A3010_2_00AA9A30
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B01D2510_2_00B01D25
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0229510_2_00B02295
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA6C0010_2_00AA6C00
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0309510_2_00B03095
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA732210_2_00AA7322
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF75B310_2_00AF75B3
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AA757510_2_00AA7575
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0381110_2_00B03811
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFF98610_2_00AFF986
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007A882911_2_007A8829
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007F009011_2_007F0090
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007FC17011_2_007FC170
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007DC53711_2_007DC537
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007DCE5111_2_007DCE51
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_0078930011_2_00789300
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_0078974011_2_00789740
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007E17B511_2_007E17B5
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_00789A3011_2_00789A30
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007E1D2511_2_007E1D25
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007E229511_2_007E2295
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_00786C0011_2_00786C00
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007E309511_2_007E3095
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_0078732211_2_00787322
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_0078757511_2_00787575
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007D75B311_2_007D75B3
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007E381111_2_007E3811
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007DF98611_2_007DF986
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B1009015_2_00B10090
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B1C17015_2_00B1C170
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AFC53715_2_00AFC537
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AC882915_2_00AC8829
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AFCE5115_2_00AFCE51
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA930015_2_00AA9300
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B017B515_2_00B017B5
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA974015_2_00AA9740
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA9A3015_2_00AA9A30
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B01D2515_2_00B01D25
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B0229515_2_00B02295
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA6C0015_2_00AA6C00
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B0309515_2_00B03095
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA732215_2_00AA7322
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AF75B315_2_00AF75B3
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AA757515_2_00AA7575
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B0381115_2_00B03811
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AFF98615_2_00AFF986
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B1009018_2_00B10090
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B1C17018_2_00B1C170
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AFC53718_2_00AFC537
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AC882918_2_00AC8829
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AFCE5118_2_00AFCE51
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA930018_2_00AA9300
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B017B518_2_00B017B5
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA974018_2_00AA9740
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA9A3018_2_00AA9A30
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B01D2518_2_00B01D25
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B0229518_2_00B02295
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA6C0018_2_00AA6C00
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B0309518_2_00B03095
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA732218_2_00AA7322
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AF75B318_2_00AF75B3
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AA757518_2_00AA7575
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B0381118_2_00B03811
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AFF98618_2_00AFF986
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF7010 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AA1410 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AECDA9 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF7A15 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF4216 appears 1103 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF42B5 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AA1070 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AA3920 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF2B96 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF4249 appears 1146 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AFF4CE appears 51 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AB6E87 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AB0A27 appears 194 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF2F86 appears 171 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF2E67 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AAC6A3 appears 324 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF427F appears 291 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AA25E0 appears 1368 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AF2E39 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: String function: 00AB1233 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007825E0 appears 457 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D7010 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 00791233 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 0078C6A3 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D4216 appears 367 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D4249 appears 383 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D427F appears 97 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D2E39 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 00790A27 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: String function: 007D2F86 appears 57 times
Source: _is402B..dll.11.drStatic PE information: Resource name: None type: DOS executable (COM)
Source: crdb_ado_res_it.dll.13.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: crdb_p2s_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: p3sifit.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dptcs.dll.13.drStatic PE information: No import functions for PE file found
Source: x3fsvit.dll.13.drStatic PE information: No import functions for PE file found
Source: u312dtsv.dll.13.drStatic PE information: No import functions for PE file found
Source: p3sifnb.dll.13.drStatic PE information: No import functions for PE file found
Source: u3lfrsv.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_dao_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dntes.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_dictionary_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: p3tbten.dll.13.drStatic PE information: No import functions for PE file found
Source: x3fcrzh_TW.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dpthu.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dvmfi.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_pdf_res_da.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_xls_res_fr.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_pc_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: u31220sv.dll.13.drStatic PE information: No import functions for PE file found
Source: x3ftxja.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_query_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: ParameterDesigner_res_pt.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_adoplus_res_nl.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_html_res_th.dll.13.drStatic PE information: No import functions for PE file found
Source: p3dbezh_TW.dll.13.drStatic PE information: No import functions for PE file found
Source: x3frdtr.dll.13.drStatic PE information: No import functions for PE file found
Source: PrintControl_res_zh_CN.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dmpen.dll.13.drStatic PE information: No import functions for PE file found
Source: p3soupt.dll.13.drStatic PE information: No import functions for PE file found
Source: querybuilder_res_de.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dptpl.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dvmzh_CN.dll.13.drStatic PE information: No import functions for PE file found
Source: x3ftxzh_TW.dll.13.drStatic PE information: No import functions for PE file found
Source: u312sasv.dll.13.drStatic PE information: No import functions for PE file found
Source: u3520sv.dll.13.drStatic PE information: No import functions for PE file found
Source: x3frdcs.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_ado_res_zh_TW.dll.13.drStatic PE information: No import functions for PE file found
Source: x3fxm2hu.dll.13.drStatic PE information: No import functions for PE file found
Source: p3ssten.dll.13.drStatic PE information: No import functions for PE file found
Source: u312frsv.dll.13.drStatic PE information: No import functions for PE file found
Source: u3l20sv.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_odbc_res_tr.dll.13.drStatic PE information: No import functions for PE file found
Source: sscsdk80_res_nl.dll.13.drStatic PE information: No import functions for PE file found
Source: u3ldtsv.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_xls_res_de.dll.13.drStatic PE information: No import functions for PE file found
Source: ParameterDesigner_res_zh_CN.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_adoplus_res_it.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_rtf_res_cs.dll.13.drStatic PE information: No import functions for PE file found
Source: x3frdzh_TW.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_rtf_res_fi.dll.13.drStatic PE information: No import functions for PE file found
Source: crpe32_res_sv.dll.13.drStatic PE information: No import functions for PE file found
Source: p3dbten.dll.13.drStatic PE information: No import functions for PE file found
Source: x3ftxnb.dll.13.drStatic PE information: No import functions for PE file found
Source: crdb_ado_res_it.dll.13.drStatic PE information: No import functions for PE file found
Source: crxf_wordw_res_sk.dll.13.drStatic PE information: No import functions for PE file found
Source: x3dmppl.dll.13.drStatic PE information: No import functions for PE file found
Source: p3sifes.dll.13.drStatic PE information: No import functions for PE file found
Source: csprintdlg_res_zh_CN.dll.13.drStatic PE information: No import functions for PE file found
Source: CrystalDecisions.Web.resources.dll.13.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.evad.win@29/1188@0/1
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004021D1 GetLastError,FormatMessageA,9_2_004021D1
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,10_2_00B0A45C
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007EA45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,11_2_007EA45C
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,15_2_00B0A45C
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00B0A45C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,18_2_00B0A45C
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_00405723 GetModuleHandleA,GetProcAddress,lstrcpyA,lstrcatA,GetDiskFreeSpaceExA,GetLastError,GetDiskFreeSpaceA,9_2_00405723
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AD8BBA CoCreateInstance,10_2_00AD8BBA
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004051E5 GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,9_2_004051E5
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjectsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile created: C:\Users\user\AppData\Local\Temp\plfE613.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: runfromtemp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: eprq10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: debuglog10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: reboot10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s%s10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: tempdisk1folder10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Skin10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Startup10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: setup.isn10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Supported10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Languages10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: clone_wait10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp10_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: runfromtemp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: eprq11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: debuglog11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Setup.cpp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: reboot11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Setup.cpp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Setup.cpp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: %s%s11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: tempdisk1folder11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: ISSetup.dll11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: ISSetup.dll11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Skin11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Startup11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: setup.isn11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Supported11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Languages11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: %s\%s.ini11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: %s\%s.ini11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: %s\%.04ld.mst11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: %s\%.04ld.mst11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Setup.cpp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: clone_wait11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCommand line argument: Setup.cpp11_2_007C2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: runfromtemp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: eprq15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: debuglog15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: reboot15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s%s15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: tempdisk1folder15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Skin15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Startup15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: setup.isn15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Supported15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Languages15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: clone_wait15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp15_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: runfromtemp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: eprq18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: debuglog18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: reboot18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s%s18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: tempdisk1folder18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: ISSetup.dll18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Skin18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Startup18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: setup.isn18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Supported18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Languages18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%s.ini18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: %s\%.04ld.mst18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: clone_wait18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCommand line argument: Setup.cpp18_2_00AE2355
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeFile read: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\_ISMSIDEL.INIJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: setup.exe, 00000013.00000003.4013207345.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000013.00000003.4013024278.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000013.00000003.4013128967.00000000015D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Select the language for the installation from the choices below.30] ;Spport
Source: setup.exe, 0000000B.00000003.3758423834.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000003.3758455189.000000000160E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000003.3758511705.0000000001610000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Select the language for this installation from the choices below.+[;
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe"
Source: unknownProcess created: C:\Users\user\Desktop\download\optojumpnext.exe "C:\Users\user\Desktop\download\optojumpnext.exe"
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 80DCE7E404A3D2C744ABC8DE5968C142
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" /q
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeProcess created: C:\1adc35b2a430ffb6f8fdcb\Setup.exe c:\1adc35b2a430ffb6f8fdcb\Setup.exe /q
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi" /q /norestart
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1AA463F152CC7C817FC4EBBAEC5BC88D
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2150726FCB1B5064F395F524C5BCA25E E Global\MSI0000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" /qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi" /q /norestartJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 80DCE7E404A3D2C744ABC8DE5968C142Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeProcess created: C:\1adc35b2a430ffb6f8fdcb\Setup.exe c:\1adc35b2a430ffb6f8fdcb\Setup.exe /q
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1AA463F152CC7C817FC4EBBAEC5BC88D
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2150726FCB1B5064F395F524C5BCA25E E Global\MSI0000
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: lz32.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: odbc32.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: clusapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeSection loaded: feclient.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: apphelp.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: acgenral.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: uxtheme.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: winmm.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: samcli.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msacm32.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: version.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: userenv.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: dwmapi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: urlmon.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: mpr.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: sspicli.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: winmmbase.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: winmmbase.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: iertutil.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: srvcli.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: netutils.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: aclayers.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: sfc.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: sfc_os.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: setupengine.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: winhttp.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: secur32.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: sqmapi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msasn1.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: windows.storage.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: wldp.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: profapi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: ntmarta.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: kernel.appcore.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msxml3.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: cryptsp.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: rsaenh.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: cryptbase.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: gpapi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: msisip.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: srpapi.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: tsappcmp.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: netapi32.dll
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sxs.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msxml3.dll
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeFile written: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\_ISMSIDEL.INIJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeAutomated click: Install
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcr80.dll
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3da3de.pdb source: p3da3de.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\prompt_res_pt.pdb source: prompt_res_pt.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u312fren.pdb source: u312fren.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\DTSagent.pdb source: dtsagent.dll.13.dr
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 00000014.00000002.4720160753.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86.exe, 00000014.00000000.4617263282.0000000001002000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 00000015.00000002.4714455712.000000006F6F1000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, 00000015.00000002.4713504272.000000006BBE1000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_pdf_res_sk.pdb source: crxf_pdf_res_sk.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3da3ru.pdb source: p3da3ru.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\x3frchu.pdb source: x3frchu.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\reportrenderer_res_en.pdb source: reportrenderer_res_en.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u3lfres.pdb source: u3lfres.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_rtf_res_fi.pdb source: crxf_rtf_res_fi.dll.13.dr
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: 4154ca.msi.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\p3dbtko.pdb source: p3dbtko.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\ParameterDesigner_res_zh_CN.pdb source: ParameterDesigner_res_zh_CN.dll.13.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: setup.exe, 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3716732649.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.4744250125.0000000000815000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000000.3756341549.0000000000815000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 0000000F.00000000.3948530982.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000002.4027587700.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000000.3963127945.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000013.00000002.4064250213.0000000000875000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000013.00000000.4010728428.0000000000875000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\crxf_rtf_res_en.pdb source: crxf_rtf_res_en.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\x3fsvit.pdb source: x3fsvit.dll.13.dr
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.dataaccess\crdb_adoplus_res_tr.pdb source: crdb_adoplus_res_tr.dll.13.dr
Source: Binary string: Setup.pdb source: Setup.exe, 00000015.00000002.4710518061.0000000000FF1000.00000020.00000001.01000000.0000000B.sdmp, Setup.exe, 00000015.00000000.4640088888.0000000000FF1000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\u3ldtfr.pdb source: u3ldtfr.dll.13.dr
Source: Binary string: SetupResources.pdb source: SetupResources.dll8.20.dr
Source: _is402B..dll.11.drStatic PE information: 0xC43EA530 [Tue May 1 22:37:36 2074 UTC]
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040C84D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_0040C84D
Source: dotNetFx40_Full_x86_x64.exe.9.drStatic PE information: section name: .boxld01
Source: crdb_dictionary.dll.13.drStatic PE information: section name: _CODE
Source: smagentapi.dll.13.drStatic PE information: section name: .data1
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_00407C60 push eax; ret 9_2_00407C8E
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004083D8 push eax; ret 9_2_004083F6
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF41E4 push ecx; ret 10_2_00AF41F7
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF7055 push ecx; ret 10_2_00AF7068
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007D41E4 push ecx; ret 11_2_007D41F7
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007D7055 push ecx; ret 11_2_007D7068
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AF41E4 push ecx; ret 15_2_00AF41F7
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AF7055 push ecx; ret 15_2_00AF7068
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AF41E4 push ecx; ret 18_2_00AF41F7
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AF7055 push ecx; ret 18_2_00AF7068
Source: CrystalDecisions.Web.resources.dll.13.drStatic PE information: section name: .text entropy: 7.396506405192319
Source: CrystalDecisions.Web.resources.dll0.13.drStatic PE information: section name: .text entropy: 7.008201733948729

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvsk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\P2soutlk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7CZXGZYM\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3GW8YO88\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2K4E0C4U\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\implode.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\40ENG36U\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\BCM-4-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2frdef.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TNK35R5B\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smcommonutil.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\8FDXG7H9\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2iract3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siftr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\C4FDATMH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PGVPZCZG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\94KTCR94\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SWAQSL4E\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\X6A06IXJ\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\0S4IETS5\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_pl.dllJump to dropped file
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2ftext.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4JWH5PWK\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_th.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\85KLLAB2\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UZ6MWTDP\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u25azalea.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3soupt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fxml.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9NFPM341\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\V1SUYTKJ\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312fren.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbeen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1LOQFF02\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_TW.dllJump to dropped file
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile created: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I1TPN99T\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\E4QRLP5W\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2bact3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libpng10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZP2Y2ZJK\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1AELXKO8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AKDCDDJJ\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XU5MHCJX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DX882I59\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\K94G2QYW\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1CKS4AMX\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UWK7THG6\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frchu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TKKJ6ZUV\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W5WARI3L\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IIGQ9HG8\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodnl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smagentapi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PUU3CUJD\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FWSCSB2G\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5H81AJBH\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\S4690VQP\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\Xalan-C_1_10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sada.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dberu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodde.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siffi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagent.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YY1KAYSV\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A2OG2MOW\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmth.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\XalanMessages_1_10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cryptocme2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DSI3AZ9E\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2soutlk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FGX1QJPW\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BIB90YD4\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libcurl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QT2RWY2D\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\Crddt32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BVLYGOZ6\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ccme_base.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\NDI8N8ZE\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smerrlog.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DDU0R7DQ\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W7Q0HZGX\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\xerces-c_2_1_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\VMEZVSED\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfren.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TXXOS14F\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BJSMK5VR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ssten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sasv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\30N3WX19\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HZ7D1KIO\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbede.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2bbde.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5CRZCV7K\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dpthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\626GTWKH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sapl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FLIPZ2F3\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\optojumpnext.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dotnet\CrystalDecisions.Data.AdoDotNetInterop.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312safr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_de.dllJump to dropped file
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptsk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ssthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbehu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\13S0U6AR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMB0YI5C\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9QL9H6K0\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZTAKVG3\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\J8QK6M3P\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MKFH1E91\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pvlocale-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmppl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcnl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdth.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrsk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\_is402B..dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\D1NZ3K1Y\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3foden.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GEP0GRHP\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XZ3MQY35\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frccs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmhu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TEHOMAIV\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HW8U3FG6\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7I4WH7GP\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A4XPZTC6\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVG5ATTP\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdtr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsves.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\keydecoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2ssyb10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2bact3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GZUMVK9D\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\EMB0YI5C\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DSI3AZ9E\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\10GJAD92\System.Data.SqlServerCe.Entity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2F3KB36U\System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7CZXGZYM\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3GW8YO88\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9QL9H6K0\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ZP2Y2ZJK\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1T4IL8UR\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZTAKVG3\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1AELXKO8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\Z5Q4A05T\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FGX1QJPW\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2K4E0C4U\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\J8QK6M3P\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MKFH1E91\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AKDCDDJJ\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IGZ9USZI\Microsoft.Synchronization.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\01JUV2GQ\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ESP.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcp80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\40ENG36U\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BIB90YD4\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TNK35R5B\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QT2RWY2D\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\8FDXG7H9\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XU5MHCJX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\3HY15T7I\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DX882I59\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB9D9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\C4FDATMH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PGVPZCZG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\94KTCR94\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80FRA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GAOBZLEX\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XQ75BFL5\policy.3.5.System.Data.SqlServerCe.Entity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6267.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\K94G2QYW\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1CKS4AMX\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BVLYGOZ6\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\D1NZ3K1Y\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UWK7THG6\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GEP0GRHP\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I4QW3CEV\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\XZ3MQY35\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\NDI8N8ZE\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HLLC4DDD\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHT.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\DDU0R7DQ\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80DEU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TEHOMAIV\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TKKJ6ZUV\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W5WARI3L\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W7Q0HZGX\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SWAQSL4E\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\X6A06IXJ\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BMXRJQCZ\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\VMEZVSED\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451318.0\ATL80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IIGQ9HG8\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\51SBOTZ2\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\0S4IETS5\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ENU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\2ZQM54W9\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TXXOS14F\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\RG4F0JCM\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80KOR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4JWH5PWK\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\BJSMK5VR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\PUU3CUJD\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CS7YDD0W\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\85KLLAB2\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE12.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HW8U3FG6\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451771.0\vcomp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\7I4WH7GP\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\30N3WX19\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FWSCSB2G\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A4XPZTC6\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\UZ6MWTDP\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\4AWW8LP3\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TVG5ATTP\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T5PYV80Q\Microsoft.Synchronization.Data.Server.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\TAD5V0ZY\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5H81AJBH\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\HZ7D1KIO\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcr71.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\QMBNXHI2\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9NFPM341\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\S4690VQP\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\W2ZGPH3Q\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CD5M7MAG\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcp80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80JPN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\V1SUYTKJ\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\SPSEFXL9\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\L8P4QM9N\CrystalDecisions.Data.AdoDotNetInterop.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1VZJ83VX\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5CRZCV7K\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\CRGXKBUS\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\626GTWKH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHS.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\D3M4L4TP\policy.3.5.System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\IZ8SNHVW\Microsoft.Synchronization.Data.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\FLIPZ2F3\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\1LOQFF02\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\YY1KAYSV\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ITA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp71.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\5MHF02JX\System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\A2OG2MOW\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\I1TPN99T\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\E4QRLP5W\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBAE4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\6FTOPTQV\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\LD3T68X8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\13S0U6AR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\GZUMVK9D\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240930_074606050-MSI_vc_red.msi.txt
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeFile created: c:\1adc35b2a430ffb6f8fdcb\1049\eula.rtf
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\EULA_ENU.rtf
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF75B3 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00AF75B3
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\3GW8YO88\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\1T4IL8UR\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\2K4E0C4U\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\40ENG36U\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2frdef.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\TNK35R5B\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\8FDXG7H9\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2iract3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\C4FDATMH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cxlib-5-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\94KTCR94\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcren.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80DEU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\SWAQSL4E\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\X6A06IXJ\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\BMXRJQCZ\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\0S4IETS5\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\RG4F0JCM\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\4JWH5PWK\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451771.0\vcomp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrnl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\9NFPM341\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmppt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\V1SUYTKJ\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\5MHF02JX\System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.Entity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddknb.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_isA398..dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\E4QRLP5W\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2bact3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBAE4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libpng10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\1AELXKO8\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_de.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\1028\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\AKDCDDJJ\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\XU5MHCJX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fsepv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\K94G2QYW\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\W5WARI3L\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntsk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smagentapi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\FWSCSB2G\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\gdiplus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\QMBNXHI2\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\S4690VQP\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\Xalan-C_1_10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sada.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\CD5M7MAG\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80JPN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\SPSEFXL9\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodde.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siffi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\YY1KAYSV\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\XalanMessages_1_10.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlang.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2soutlk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\FGX1QJPW\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\fssl-1-2-1-6.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\QT2RWY2D\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80FRA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\GAOBZLEX\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\NDI8N8ZE\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\DDU0R7DQ\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtsk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\xerces-c_2_1_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\VMEZVSED\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220da.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\1049\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\TXXOS14F\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.Server.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sait.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sasv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbede.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxth.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_fi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbesk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\626GTWKH\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI62D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ssthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\13S0U6AR\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\10GJAD92\System.Data.SqlServerCe.Entity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtnl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptit.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_is402B..dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3foden.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souzh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\XZ3MQY35\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHT.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frccs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmhu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451318.0\ATL80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\CS7YDD0W\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_hu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBE12.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\7I4WH7GP\CrystalDecisions.Windows.Forms.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\A4XPZTC6\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\TVG5ATTP\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ebus-3-3-2-7.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkde.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvde.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\msvcr71.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdtr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtnb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\1VZJ83VX\SAPBusinessObjects.WPF.Viewer.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\keydecoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHS.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\msvcp71.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_da.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtit.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_nb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvsk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\P2soutlk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\7CZXGZYM\CrystalDecisions.ReportSource.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodpt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\implode.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtcs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\BCM-4-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smcommonutil.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siftr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB9D9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\PGVPZCZG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_nl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6267.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ru.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_tr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtfr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\I4QW3CEV\CrystalDecisions.VSDesigner.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\HLLC4DDD\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_ja.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmzh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_cs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3zh_TW.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\51SBOTZ2\SAPBusinessObjects.WPF.ViewerShared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2ftext.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3sv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbthu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_TW.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\1036\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\85KLLAB2\CrystalDecisions.CrystalReports.Engine.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frda.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\UZ6MWTDP\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u25azalea.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbten.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntes.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3soupt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fxml.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312fren.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cxlibw-5-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrpl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbeen.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_nl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exeDropped PE file which has not been started: C:\1adc35b2a430ffb6f8fdcb\3082\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\1LOQFF02\CrystalDecisions.Web.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_en.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20es.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_pt.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_th.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtsv.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\I1TPN99T\CrystalDecisions.VSDesigner.Mobile.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_pl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmfi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\6FTOPTQV\CrystalDecisions.Shared.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_ko.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_it.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_sk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_de.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_fr.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_fi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_10-64443
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_10-64583
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeAPI coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004014B7 wsprintfA,FindFirstFileA,FindClose,9_2_004014B7
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_00404BA4 lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,lstrcpyA,lstrlenA,RemoveDirectoryA,9_2_00404BA4
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,10_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,10_2_00AE7E01
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007C7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,11_2_007C7E01
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007B168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,11_2_007B168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,15_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,15_2_00AE7E01
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AD168D __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,18_2_00AD168D
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AE7E01 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,18_2_00AE7E01
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B0B033 GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,10_2_00B0B033
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\pftF363~tmp\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Local\Temp\plfE613.tmpJump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\download\optojumpnext.exeFile opened: C:\Users\user\Jump to behavior
Source: 4154ca.msi.13.drBinary or memory string: vmcin
Source: wget.exe, 00000002.00000002.3494930158.0000000000B88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeAPI call chain: ExitProcess graph end nodegraph_10-64444
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF8ABD _memset,IsDebuggerPresent,10_2_00AF8ABD
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFEE1E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_00AFEE1E
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040C84D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_0040C84D
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_00405CD0 GetProcessHeap,HeapFree,9_2_00405CD0
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040C702 SetUnhandledExceptionFilter,9_2_0040C702
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_0040C714 SetUnhandledExceptionFilter,9_2_0040C714
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFC3BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00AFC3BA
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AFC397 SetUnhandledExceptionFilter,10_2_00AFC397
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007DC3BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_007DC3BA
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: 11_2_007DC397 SetUnhandledExceptionFilter,11_2_007DC397
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AFC3BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00AFC3BA
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 15_2_00AFC397 SetUnhandledExceptionFilter,15_2_00AFC397
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AFC3BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00AFC3BA
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 18_2_00AFC397 SetUnhandledExceptionFilter,18_2_00AFC397
Source: C:\1adc35b2a430ffb6f8fdcb\Setup.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00ABCDD3 __EH_prolog3_GS,GetDlgItem,GetDlgItem,GetDlgItem,GetModuleFileNameW,_memset,ShellExecuteExW,WaitForInputIdle,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetDlgItem,GetDlgItem,GetDlgItem,SendMessageW,10_2_00ABCDD3
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" /qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi" /q /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}" /IS_temp
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B08AE4 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,10_2_00B08AE4
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00B08AE4 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,10_2_00B08AE4
Source: setup.exeBinary or memory string: Shell_TrayWnd
Source: setup.exe, 0000000B.00000002.4744250125.0000000000815000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000000.3756341549.0000000000815000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: 2zShell_TrayWnd0x0409
Source: setup.exe, 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3716732649.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 0000000F.00000000.3948530982.0000000000B35000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Shell_TrayWnd0x0409
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00AF6C43 cpuid 10_2_00AF6C43
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,10_2_00AF14BD
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,10_2_00AF1438
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,10_2_00ABEC18
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,11_2_007D1438
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: GetLocaleInfoW,11_2_007D14BD
Source: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,11_2_0079EC18
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,15_2_00AF14BD
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,15_2_00AF1438
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,15_2_00ABEC18
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,18_2_00AF14BD
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,18_2_00AF1438
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,18_2_00ABEC18
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\2ZQM54W9\SAPBusinessObjects.WPF.ViewerShared.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\CS7YDD0W\SAPBusinessObjects.WPF.Viewer.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\R5WHX29H\SAPBusinessObjects.WPF.ViewerShared.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\XWP3DVNZ\SAPBusinessObjects.WPF.Viewer.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\GZUMVK9D\CrystalDecisions.CrystalReports.Engine.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\J8QK6M3P\CrystalDecisions.VSDesigner.Mobile.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\ZP2Y2ZJK\CrystalDecisions.VSDesigner.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\YB00TSL7\SAPBusinessObjects.WPF.ViewerShared.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\2W0MXMUJ\SAPBusinessObjects.WPF.Viewer.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\PUU3CUJD\CrystalDecisions.CrystalReports.Engine.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\XQ75BFL5\policy.3.5.System.Data.SqlServerCe.Entity.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\IZ8SNHVW\Microsoft.Synchronization.Data.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\IGZ9USZI\Microsoft.Synchronization.Data.SqlServerCe.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\5MHF02JX\System.Data.SqlServerCe.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\2F3KB36U\System.Data.SqlServerCe.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\D3M4L4TP\policy.3.5.System.Data.SqlServerCe.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\policy.3.5.System.Data.SqlServerCe.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe.Entity\3.5.0.0__89845dcd8080cc91\policy.3.5.System.Data.SqlServerCe.Entity.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exeCode function: 10_2_00ACD9F2 _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime,10_2_00ACD9F2
Source: C:\Users\user\Desktop\download\optojumpnext.exeCode function: 9_2_004083F7 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,9_2_004083F7
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		3
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		11
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
Windows Service		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Windows Service		1
Install Root Certificate		NTDS37
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		2
Software Packing		LSA Secrets31
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		1
Timestomp		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
Masquerading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Modify Registry		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522627 URL: https://update.microgate.it... Startdate: 30/09/2024 Architecture: WINDOWS Score: 52 84 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->84 9 msiexec.exe 746 1875 2->9         started        12 optojumpnext.exe 22 2->12         started        14 msiexec.exe 2->14         started        16 3 other processes 2->16 process3 file4 64 CrystalDecisions.V...igner.resources.dll, PE32 9->64 dropped 66 CrystalDecisions.R...ource.resources.dll, PE32 9->66 dropped 68 C:\...\CrystalDecisions.Web.resources.dll, PE32 9->68 dropped 76 755 other files (none is malicious) 9->76 dropped 18 msiexec.exe 9->18         started        70 C:\Users\user\AppData\Local\...\setup.exe, PE32 12->70 dropped 78 3 other files (none is malicious) 12->78 dropped 20 setup.exe 5 12->20         started        72 policy.3.5.System....ServerCe.Entity.dll, PE32 14->72 dropped 80 27 other files (none is malicious) 14->80 dropped 23 msiexec.exe 14->23         started        25 msiexec.exe 14->25         started        74 C:\Users\user\AppData\Local\...\setup.exe, PE32 16->74 dropped 27 wget.exe 2 16->27         started        31 setup.exe 16->31         started        33 conhost.exe 16->33         started        process5 dnsIp6 50 C:\Users\user\AppData\Local\...\setup.exe, PE32 20->50 dropped 35 setup.exe 8 19 20->35         started        82 217.199.6.83 BRENNERCOM-ASIT Italy 27->82 52 C:\Users\user\Desktop\...\optojumpnext.exe, PE32 27->52 dropped 86 Drops large PE files 27->86 54 C:\Users\user\AppData\Local\...\_isA398..dll, PE32 31->54 dropped file7 signatures8 process9 file10 48 C:\Users\user\AppData\Local\...\_is402B..dll, PE32 35->48 dropped 38 vcredist_x86.exe 35->38         started        41 msiexec.exe 1 35->41         started        43 msiexec.exe 35->43         started        process11 file12 56 C:\1adc35b2a430ffb6f8fdcb\sqmapi.dll, PE32 38->56 dropped 58 C:\1adc35b2a430ffb6f8fdcb\SetupUi.dll, PE32 38->58 dropped 60 C:\1adc35b2a430ffb6f8fdcb\SetupEngine.dll, PE32 38->60 dropped 62 11 other files (none is malicious) 38->62 dropped 45 Setup.exe 38->45         started        process13 signatures14 88 Installs new ROOT certificates 45->88

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://update.microgate.it/optojump/optojumpnext.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\1adc35b2a430ffb6f8fdcb\1028\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1028\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1031\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1031\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1033\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1033\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1036\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1036\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1040\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1040\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1041\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1041\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1042\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1042\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\1049\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\1049\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\2052\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\2052\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\3082\SetupResources.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\3082\SetupResources.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\Setup.exe0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\Setup.exe0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\SetupEngine.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\SetupEngine.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\SetupUi.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\SetupUi.dll0%VirustotalBrowse
C:\1adc35b2a430ffb6f8fdcb\sqmapi.dll0%ReversingLabs
C:\1adc35b2a430ffb6f8fdcb\sqmapi.dll0%VirustotalBrowse
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.Data.SqlServerCe.dll0%ReversingLabs
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.Data.SqlServerCe.dll0%VirustotalBrowse
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.Entity.dll0%ReversingLabs
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.Entity.dll0%VirustotalBrowse
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.dll0%ReversingLabs
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.dll0%VirustotalBrowse
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.Data.SqlServerCe.Entity.dll0%ReversingLabs
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.Data.SqlServerCe.Entity.dll0%VirustotalBrowse
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll0%ReversingLabs
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://go.microsoft.0%VirustotalBrowse
http://saturn.installshield.com/is/prerequisites/Microsoft0%VirustotalBrowse
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d0%VirustotalBrowse
http://saturn.installshield.com/devstudio/setuprequirements/sqlce35sp2/SSCERuntime_x64-ENU.msi0%VirustotalBrowse
http://www.businessobjects.com/ipl/default.asp?destination=PoweredByBusinessObjectslogo&language=EN0%VirustotalBrowse
http://www.azalea.com0%VirustotalBrowse
http://support.businessobjects.com/ARPREADMEBOBJ_NAMEBusiness0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.thawte.com/ThawteTimestampingCA.crl0u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.sap.com0u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drfalse
    		unknown
    https://update.microgate.it/optojump/optojumpnext.exewget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://update.microgate.it/optojump/optojumpnext.exeEOwget.exe, 00000002.00000002.3494877748.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://ocsp.thawte.com0u312fren.dll.13.dr, PrintControl_res_zh_CN.cab.13.dr, reportrenderer_res_en.dll.13.dr, dtsagent.dll.13.dr, u3ldtfr.dll.13.dr, crxf_rtf_res_fi.dll.13.dr, p3da3de.dll.13.dr, crxf_wordw_res_en.dll.13.dr, p3dbtko.dll.13.dr, crxf_rtf_res_en.dll.13.dr, crxf_pdf_res_sk.dll.13.dr, CrystalDecisions.Web.resources.dll7.13.dr, x3fsvit.dll.13.dr, ParameterDesigner_res_zh_CN.dll.13.dr, prompt_res_pt.dll.13.dr, p3da3ru.dll.13.dr, x3frchu.dll.13.dr, u3lfres.dll.13.dr, crdb_adoplus_res_tr.dll.13.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://update.microgate.it/optojump/optojumpnext.exeOwget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://saturn.installshield.com/is/prerequisites/Microsoftsetup.exe, 00000013.00000003.4017088826.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000013.00000003.4019306480.00000000015D0000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          http://go.microsoft.Setup.exe, 00000015.00000003.4646527142.0000000001560000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4650331801.0000000002F70000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          http://go.microsoft.cSetup.exe, 00000015.00000003.4650937017.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4659920159.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4654482957.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4655826903.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4649641284.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4648140830.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4653273666.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4656053383.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4652247117.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4657314983.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4651994437.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4658562400.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4653464695.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4658361799.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4657105610.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4648283732.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4650735571.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4649441437.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4654670763.0000000001620000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000015.00000003.4660132574.0000000001620000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://saturn.installshield.com/devstudio/setuprequirements/sqlce35sp2/SSCERuntime_x64-ENU.msisetup.exe, 00000013.00000002.4064546490.0000000000FF4000.00000004.00000010.00020000.00000000.sdmpfalseunknown
            http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dsetup.exe, setup.exe, 00000012.00000002.4027587700.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000012.00000000.3963127945.0000000000B35000.00000002.00000001.01000000.00000007.sdmp, setup.exe, 00000013.00000002.4064250213.0000000000875000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000013.00000000.4010728428.0000000000875000.00000002.00000001.01000000.00000009.sdmpfalseunknown
            https://update.microgate.it/optojump/optojumpnext.exetowget.exe, 00000002.00000002.3494877748.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://update.microgate.it/optojump/optojumpnext.exeDwget.exe, 00000002.00000003.3494619687.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.3494982114.0000000002B6D000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://update.microgate.it/optojump/optojumpnext.exeOCCwget.exe, 00000002.00000002.3494877748.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.businessobjects.com/ipl/default.asp?destination=PoweredByBusinessObjectslogo&language=ENCrystalDecisions.Web.resources.dll7.13.drfalseunknown
                  http://saturn.installshield.com/is/prerequisites/microsoftsetup.exe, 00000013.00000003.4063946010.00000000015CC000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://support.businessobjects.com/ARPREADMEBOBJ_NAMEBusiness4154ca.msi.13.drfalseunknown
                    http://www.azalea.comCode39AzaleaRegular1.ttf.13.dr, Code39AzaleaWide3.ttf.13.dr, Code39AzaleaRegular2.ttf.13.drfalseunknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    217.199.6.83
                    		unknownItaly
                    		20811BRENNERCOM-ASITfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1522627
                    Start date and time:2024-09-30 13:40:15 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 14m 56s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:urldownload.jbs
                    Sample URL:https://update.microgate.it/optojump/optojumpnext.exe
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal52.evad.win@29/1188@0/1
                    EGA Information:
                    • Successful, ratio: 80%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 98
                    • Number of non-executed functions: 283

                    Warnings

                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Execution Graph export aborted for target setup.exe, PID 2664 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • Report size getting too big, too many NtSetValueKey calls found.
                    • Report size getting too big, too many NtWriteFile calls found.
                    • Skipping network analysis since amount of network traffic is too extensive

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:44:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
                    12:44:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes "C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\1adc35b2a430ffb6f8fdcb\$shtdwn$.req

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):788
                    Entropy (8bit):0.09823380614560741
                    Encrypted:false
                    SSDEEP:3:lbll/:lB
                    MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                    SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                    SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                    SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                    Malicious:false
                    Reputation:low
                    Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1028\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                    Category:dropped
                    Size (bytes):30672
                    Entropy (8bit):4.2936704552740705
                    Encrypted:false
                    SSDEEP:384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
                    MD5:7FC06A77D9AAFCA9FB19FAFA0F919100
                    SHA1:E565740E7D582CD73F8D3B12DE2F4579FF18BB41
                    SHA-256:A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
                    SHA-512:466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

                    C:\1adc35b2a430ffb6f8fdcb\1028\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13656
                    Entropy (8bit):6.1255358676606155
                    Encrypted:false
                    SSDEEP:384:0auwLmlCW1g+/km7WpWEWkLXci2jpvpq/:0lpffjSMi2jpvpq/
                    MD5:CE844D12E884B8038D4D02F060A1EC9C
                    SHA1:5AFD36D615BEF86D15FE5BCA82446E1CA2A1B74A
                    SHA-256:F290EF58C6B6E48C052B8F2296DA722A8501B40BAF0F5CE9DAABE011B0DDA884
                    SHA-512:E1760E072AE8E1CD5C5916B9196AB8BC8E2B7F2533CDA2DAD269B64F40AA608E49BBA8FF5F952DAEA73ED3F5118654B9B807259C8C95C0CD4E29098DC9D4B7F9
                    Malicious:false
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........................................................@......x.....@.......................................... ..X...............X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1028\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):16563
                    Entropy (8bit):4.018763370458213
                    Encrypted:false
                    SSDEEP:384:32ddGEAeNy78Qh7K+PrKtLF3vKvjXEvDJivKvAvUK5CtQBuWuXGygqrbihls7oG/:lmf+qtCuqvA84h5
                    MD5:A70D13852CABF5A800083E2B6581E707
                    SHA1:90731A5B39CBAC28A7DBF79A56D3D8F966EF5543
                    SHA-256:7A6F12DB5A1D58AA41B52299C5CE8B024E9A07683D9F37497F5280F5A2A69D19
                    SHA-512:5A3FD0B962D0E367ACF73A09E44193E9D5DEA4E6844BF4CEB3F27DD8AF037FD52023534E6C4F580F6DA33EB2C76AEB69E806AC76135BE4C5C0BA5EDC7919B9B5
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 PMingLiU;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1046\f0 \par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1033 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f2\par..\pard\nowidctlpar\sb120\sa120\lang1028\b0\f1\'a5\'bb\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\'ab\'59\'a4\'40\'a5\'f7\'a5\'d1\'a1\'40\'b6\'51\'a5\'ce\'a4\'e1\'bb\'50\lang1033\f0 Microsoft \lang1028\f1\'a4\'bd\'a5\'71\lang1033\f0 (\lang1028\f1\'a9\'ce\'a8\'e4\'c3\'f6\'ab\'59\'a5\'f8\'b7\'7e\lang1033\'a1\'41\lang1028\'b5\'f8\'a1\'40\'b6\'51\'a5\'ce\'a4\'e

                    C:\1adc35b2a430ffb6f8fdcb\1031\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
                    Category:dropped
                    Size (bytes):41622
                    Entropy (8bit):3.577523249714746
                    Encrypted:false
                    SSDEEP:384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
                    MD5:B83C3803712E61811C438F6E98790369
                    SHA1:61A0BC59388786CED045ACD82621BEE8578CAE5A
                    SHA-256:2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
                    SHA-512:E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

                    C:\1adc35b2a430ffb6f8fdcb\1031\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18264
                    Entropy (8bit):5.241080166633712
                    Encrypted:false
                    SSDEEP:384:9Qo6s3rhGrcHN/USYvYVAFWlieW+LXci2jXHUyA:9NhCSVYvYVAFOMi2jXHU/
                    MD5:C31942E7CCB510ACAE6518881734C2CC
                    SHA1:6DA8EAC43422674E97AFCB04F30FED35207A8F2F
                    SHA-256:446E56E32843C80F54793B14FA0E293C3B61D7F82E80D205C3CE99C77BA8B140
                    SHA-512:BF16F0D9520634DCAAB4901B7E9D121CF7BB21E7CAE073E88135366514D68F60A175368308E94D7C74765B91E4946DF36BD162E53ECA2EE1E309830FE738BC35
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........................................................P............@.......................................... ..`+...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1031\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):10303
                    Entropy (8bit):5.21810340625041
                    Encrypted:false
                    SSDEEP:192:efr7MR0HhNXHsKiPoDD2xOwgBI/z3ksgscx6DGC7v6yOCjIOMMP8uB2:aYRgN8mD2xiEz3ksgscx6KC7SyOCjIOy
                    MD5:FC11D9C5EBFE1B71E76E4D6C4C6C862F
                    SHA1:909620E4EC8B27B25CD51C2546B3700B52B05250
                    SHA-256:CE75A8C844501501C8F622FC5C10495E34507ACEF33A3BABE105CEAB38D2DE47
                    SHA-512:EBE807EF57DDE86ED18680D51774A3F34A25D7A6CBE589BCA039EA0B1822C16B2B84FD19E91DD2AAA5EF3CC506B12F1326E285CA08554346FE0C6B44B377694F
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 MICROSOFT SOFTWARE: LIZENZBESTIMMUNGEN\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT \lang1033 VISUAL C++ 2010 RUNTIME LIBRARIES\lang1031 SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (oder einer anderen Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie die Software erwerben, die Software lizenziert). Bitte lesen Sie die Lizenzbestimmungen aufmerksam durch. Sie gelten f\'fcr die der oben genannten Software und gegebenenfalls f\'fcr die Medien, auf denen Sie diese erhalten haben, sowie f\'fcr alle von Microsoft

                    C:\1adc35b2a430ffb6f8fdcb\1033\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
                    Category:dropped
                    Size (bytes):39246
                    Entropy (8bit):3.5443876937052083
                    Encrypted:false
                    SSDEEP:192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
                    MD5:D642E322D1E8B739510CA540F8E779F9
                    SHA1:36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
                    SHA-256:5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
                    SHA-512:E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                    C:\1adc35b2a430ffb6f8fdcb\1033\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16728
                    Entropy (8bit):5.268121432650481
                    Encrypted:false
                    SSDEEP:192:UykqnUfwTW7JoWpZeWQjp8M+9HS8bC/TJs7kFknuQKPnEtObMacxc8hjeyveCXiU:ONojWpZeW79ygC/TfFkuLXci2jpvT7
                    MD5:718AB3EB3F43C9BCF16276C1EB17F2C1
                    SHA1:A3091FD7784A9469309B3EDB370E24A0323E30AC
                    SHA-256:E1A13F5B763D73271A1A205A88E64C6611C25D5F434CFA5DA14FEB8E4272FFAA
                    SHA-512:9FA8A8D9645A9B490257C2DCE3D31F1585F6D6069F9471F9E00DFAA9E457FF1DB4C9176A91E02D7F0B61BAE0C1FC76B56061EFF04888A58AEB5AD2E8692FCF8A
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........(...............................................P......).....@.......................................... ...%...........*..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1033\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):7346
                    Entropy (8bit):4.957730247487973
                    Encrypted:false
                    SSDEEP:192:Ff9lHdwOQnTl2QpecglQREe931lGGgi2k90vuE9HSH/c2:bQOQnI6glQRjlGGgi24JAyE2
                    MD5:0D0269DFD3FFA37529A14953A5891964
                    SHA1:F4FD2C37B8AA22C1083210508DD35CB7665A36A5
                    SHA-256:6BAB6A941CF861BE226207A02D2DCE79E007FA4368CF638EBBB6F6A762646729
                    SHA-512:01817413168C0365B6B16A3D1A80061D94BBC8BC466528F05B42A65700847A9DE5996A8C55EC3F19FA9F35698D3790CDE572540DC7386409CB692A6A41BFC137
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f1\'b7\tab\f0 updates,\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\f1\'b7\tab\

                    C:\1adc35b2a430ffb6f8fdcb\1036\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                    Category:dropped
                    Size (bytes):41492
                    Entropy (8bit):3.5522209001567364
                    Encrypted:false
                    SSDEEP:192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
                    MD5:E382ABC19294F779D2833287242E7BC6
                    SHA1:1CEAE32D6B24A3832F9244F5791382865B668A72
                    SHA-256:43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
                    SHA-512:06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

                    C:\1adc35b2a430ffb6f8fdcb\1036\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18264
                    Entropy (8bit):5.215421096962445
                    Encrypted:false
                    SSDEEP:384:y7s6rAY9li3OoDDkb6Wp9eWBLXci2jpvmm:yzfiZDgTlMi2jpvmm
                    MD5:E35532C4BB5B1CFC4E6808599C090405
                    SHA1:72B8B5A31499D8E4B42D34A4BA23E98C2615483E
                    SHA-256:009878ADCD858C2289BB313966F9716FC3868A7EB0915772C3D7CB76E67CA6FB
                    SHA-512:6AFD3ACB62E7A5C9BAFFB7D6890793F08B40DF35EB913CBAD3D50DEF8CD506A569A723ACDC08C7F9CAA05A264A421DBDCB09E5346E026BEDDD9A0AD8C11FA16B
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........................................................P...........@.......................................... ...+...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1036\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):8833
                    Entropy (8bit):5.13980517558444
                    Encrypted:false
                    SSDEEP:192:LfPlz+1WZ0a5+dAKkvY+8QE3clI6/JK3aE66i8UKjxb1c2OjL8Nr7FaF5c2:rw1WKa5+dAKkvY+8QEMlI6Q3PIX034se
                    MD5:6A03E425EC71137AF114A5AAB2999B18
                    SHA1:794A1D545DDED6CDC355449DD72F0A8A8303C4D2
                    SHA-256:495BBBEC333AC355DEEAE48A56DAD9A3CEB7CDBD2FB28712EE628A26FA539320
                    SHA-512:E12648B8B37002057C83581ECC5209490A98D37CAE850EAB0C035ED6640BE130238ECDB72195DEEF03BF8E71C3E6EDADB79276C1DB030BF0BF3DD8301DA9077C
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DU CONTRAT DE LICENCE D\rquote UN LOGICIEL MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Les pr\'e9sents termes ont valeur de contrat entre Microsoft Corporation (ou en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) et vous. Lisez-les attentivement. Ils portent sur le logiciel nomm\'e9 ci-dessus, y compris le support sur lequel vous l\rquote avez re\'e7u le cas \'e9ch\'e9ant. Ce contrat porte \'e9galement sur les produits Microsoft suivants\~:\b\f1

                    C:\1adc35b2a430ffb6f8fdcb\1040\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                    Category:dropped
                    Size (bytes):40338
                    Entropy (8bit):3.5295538496820984
                    Encrypted:false
                    SSDEEP:384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
                    MD5:0AF948FE4142E34092F9DD47A4B8C275
                    SHA1:B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
                    SHA-256:C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
                    SHA-512:D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

                    C:\1adc35b2a430ffb6f8fdcb\1040\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17752
                    Entropy (8bit):5.253439908286741
                    Encrypted:false
                    SSDEEP:384:o7C6Tg7AtONBKHno5JW2eWlLXci2jpvDho:okAbsX5Mi2jpv1o
                    MD5:C956E591A0C801B17693AA99098E4C6D
                    SHA1:B8DE448E1148E9DC9095664846EF56929C9B71A4
                    SHA-256:B6CA7CE4ECF331BA1EB40B9D3BFB75A78D23A3E5DC29AD081060AB0D8822E3F5
                    SHA-512:4E4F8BBA8C72CC68BD81E460A12D73D7A3A00F912EAF5A6E0140D8FC801A588617E1A32FAF6C9A3FA5FD7DD04527064AF8969156214A37B90A7C193DCC59CAD2
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........,...............................................P......S2....@.......................................... ...)..............X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1040\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):9245
                    Entropy (8bit):5.069998443181659
                    Encrypted:false
                    SSDEEP:192:Lf7laOFewwU3xr3/rhdSNj6HzLCwdi/V2VXk3rLnF2gtlH4c2:fjFhpdSczL/+V2a3rLnF2g/D2
                    MD5:BEDE1C7787FEA865571A7D6F010361C5
                    SHA1:3853CB9585922E86AFF886F32F6739308799E062
                    SHA-256:563215712674FCEB29E04FA4BBCBBEC307FB4BE9EE15C820C46164F77D79BF16
                    SHA-512:A408818DCAFF109B8972D3D287221D58405C656F4A56BD389E5044FF9EB3E3A6BD95E0C4E49D1BD36A429EF1DB168CCC77747B11397EE91436D078E81519414A
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1040\b\f0\fs20 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario. Il licenziatario deve leggerle con attenzione. Le presenti condizioni si applicano al software Microsoft sopra indicato, inclusi gli eventuali supporti di memorizzazione sui quali \'e8 stato ricevuto. Le presen

                    C:\1adc35b2a430ffb6f8fdcb\1041\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
                    Category:dropped
                    Size (bytes):34318
                    Entropy (8bit):4.3825885013202255
                    Encrypted:false
                    SSDEEP:192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
                    MD5:7FCFBC308B0C42DCBD8365BA62BADA05
                    SHA1:18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
                    SHA-256:01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
                    SHA-512:CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

                    C:\1adc35b2a430ffb6f8fdcb\1041\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15192
                    Entropy (8bit):6.0685950222818965
                    Encrypted:false
                    SSDEEP:192:DFg6ujUfwtW1+/FuZhS5CSJk/lhQW5JEW/QKPnEtObMacxc8hjeyveCXlC2y+UNH:iUC7mS53JkNCW5JEW/LXci2jpvrCN
                    MD5:00EBA8C995E91FA9C7A38221CC3C2AB2
                    SHA1:353D373B66EC5B6D25A060AE69BF362202B0C069
                    SHA-256:DA2514F84A5249937DD439CB608B44D7A2C152D7D4F7B4F1D2B12DB22FB29DF5
                    SHA-512:7CBA82C897AFBC09E87295F7F9C9F2DB1DDB124CAFAFE5E93F46F4346BB6EC5CBF1E4A100B532E854A8089A074949014F68A77D9E43A9390D64A37875F35C586
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!........."...............................................@............@.......................................... ..h............$..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1041\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):24099
                    Entropy (8bit):3.825803656837097
                    Encrypted:false
                    SSDEEP:192:3fCp7l5T9Yx8Ty+HaCECL9UumM4JEjFntEjjQD3cue6IvZ2N/Fump17D5joXSEZU:6Q+EU5heUzjKSYYecnOMFjsb6RU2
                    MD5:D391858950A2E53FB7CAD0EF993A0857
                    SHA1:D0C433C38A62BF0FCE4285585DBDC0BC9159F60D
                    SHA-256:415336BDD86FFEEAEF7FF776717F18FA83418107851800EE0EE1FD65DDCF8A97
                    SHA-512:E5AB613589BACE9BA6CA91EEB82101B49CDD6BB5E667A69F9D9EA90718041BA520955E581B3C9AC4D63D613F6FD4DA220C2C7CEC5CE1A721F4D55396DB15266B
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset128 MS PGothic;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\lang1033\f1 \lang1041\f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f1 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang1041\b0\f0\'96\'7b\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f1 (\l

                    C:\1adc35b2a430ffb6f8fdcb\1042\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
                    Category:dropped
                    Size (bytes):32962
                    Entropy (8bit):4.366055142656104
                    Encrypted:false
                    SSDEEP:192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
                    MD5:71DFD70AE141F1D5C1366CB661B354B2
                    SHA1:C4B22590E6F6DD5D39E5158B831AE217CE17A776
                    SHA-256:CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
                    SHA-512:5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

                    C:\1adc35b2a430ffb6f8fdcb\1042\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14680
                    Entropy (8bit):6.062566477695181
                    Encrypted:false
                    SSDEEP:192:vAwkhnUfwVWgj2sPKNS0N7gVCAkWpDeWJQKPnEtObMacxc8hjXHUz1TrONSQE:oLY6d2Kj0lgRkWpDeWJLXci2jXHUEe
                    MD5:C3607B83C32851D9B5FD44F33430EA58
                    SHA1:2E5181690881DF80D63466433C973E66A56105FF
                    SHA-256:327269984378BC3B9EC4F4392B94F7D1347DB9C7BEAD2935A3B1898EB20B8080
                    SHA-512:664528B6424F9C3DC2ED4A2EDC3CCEE02806FF48402930205055D348B65B36587E1E6516AF4A12B2DDE9C03ED6DBF06E09B3F337AF2C152A9F0D3FE078357807
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!......... ...............................................@......3.....@.......................................... ..............."..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1042\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):34291
                    Entropy (8bit):4.149816302442216
                    Encrypted:false
                    SSDEEP:384:bhPZmmiJvqtz3QN4GPstREaUmJ9S7Syd2Io3G0h16koLHlx/z+WH2wsDwCnaZVSQ:VhmHvtns/EwW+Y/ewtCY+yVcQo4
                    MD5:BF5C632A7F64FAF037FCEDDFFA79F0E1
                    SHA1:4CE736E4620F34B432760A6A292303522DEDD1D5
                    SHA-256:74B89881C0D953DDF6E87619E5C898DADFD113AFFBA28A2C71BE3FA0D952D7BD
                    SHA-512:3516F913A74F9407495F74C1E8494C8E492AC5B4592CB08A6D880BDDEE7AECD67152C1A999DC202DDA021A94943CFD5658B14AF3DAA72F0FE7B1C63A0026EEEA
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fswiss\fprq2\fcharset129 Gulim;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\lang1033\f0 \lang1042\f1\'c1\'b6\'b0\'c7\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f2\par..\pard\nowidctlpar\sb120\sa120\lang1042\b0\f1\'ba\'bb\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\lang1033\f0 \lang1042\f1\'c1\'b6\'b0\'c7\'c0\'ba\lang1033\f0 Microsoft Corporation(\lang1042\f1\'b6\'c7\'b4\'c2\lang1033\f0 \lang1042\f1\'b0\'c5\'c1\'d6\lang1033\f0 \lang1042\f1\'c1\'f

                    C:\1adc35b2a430ffb6f8fdcb\1049\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
                    Category:dropped
                    Size (bytes):40428
                    Entropy (8bit):4.232828720335164
                    Encrypted:false
                    SSDEEP:384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
                    MD5:0EEB554D0B9F9FCDB22401E2532E9CD0
                    SHA1:08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
                    SHA-256:BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
                    SHA-512:2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

                    C:\1adc35b2a430ffb6f8fdcb\1049\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17752
                    Entropy (8bit):5.661156120079437
                    Encrypted:false
                    SSDEEP:192:nRBgnUfwVWBCl23DV3SD1tt9WfXHT7nMcPxeWlQKPnEtObMacxc8hjeyveCXFqPr:n/v65URiD1vwLoeeWlLXci2jpvyPr
                    MD5:9FA7457ABFA95BBE8E8A7814095A9A8B
                    SHA1:BC320ED0BC482B11FE23DB21755A95C2F262A765
                    SHA-256:13DA0002D2491526C53A892B2250D321F22A24FAE67544488D70BD059AD27229
                    SHA-512:189326EA549F217A2154CAB4A7EA444D3F51BF00929FD2A6F108150E13F0B42B08B006860DDAC6044C9E9D44859A579705FCACCCF81FE5860E1E94F5994AD12B
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........,...............................................P......=.....@.......................................... ...*..............X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\1049\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):26856
                    Entropy (8bit):3.646005856063089
                    Encrypted:false
                    SSDEEP:384:spSEbldVGRw5rF7TavN0rDSIyshfe0s8q1vi8eonN7Uii6sCbDS5gLDPw9LVxOik:y/Vl6Q/u/GgXPw9JQ98aCfHZ/G
                    MD5:156313549F1D699ECF7922F27B9F554C
                    SHA1:C11E59A96C7FA5081AEBBD82A7CB928D18B766EB
                    SHA-256:3794117C849778FE43BE7DA7EE160FDBBC41C8B6F24EFE4CEEDDD6738D731B1E
                    SHA-512:02D386E6D08C581435053FF61F8104F47A58EBE1C988F6696B6C755CC99FC07C033EF717FD21EF8004B2C68A59656795990F49FBD224B635386895E43A48FAA3
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset204 Tahoma Cyr;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1049\b\f0\fs20\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'c5 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c3\'ce \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'df MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang1049\b0\f0\'dd\'f2\'e8 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \

                    C:\1adc35b2a430ffb6f8fdcb\2052\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
                    Category:dropped
                    Size (bytes):31138
                    Entropy (8bit):4.240036868712424
                    Encrypted:false
                    SSDEEP:192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
                    MD5:52B1DC12CE4153AA759FB3BBE04D01FC
                    SHA1:BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
                    SHA-256:D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
                    SHA-512:418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

                    C:\1adc35b2a430ffb6f8fdcb\2052\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13656
                    Entropy (8bit):6.174620629388967
                    Encrypted:false
                    SSDEEP:192:2s8nUfwVWtTXjuQShyjK7o0WtEW2QKPnEtObMacxc8hjeyveCXi:pTCTFhMKFWtEW2LXci2jpvM
                    MD5:E4131092F32928A45757622C6B43B906
                    SHA1:AC6A465AE3EFE8CA55115B0F49FD5CC0F76C1343
                    SHA-256:FD66A26672E981987D92549F966E9095988D49FA5025C38CB90CFB9BCFF52268
                    SHA-512:A76F1FAA61418B0F1A0401255FE9CA3CAA32A3F9D1CE2BB5A0D6EEECE793470EDF565E2EB6A8FC90FB6FC70004F2C2D1FAABE14F86754BBC9809669888188F73
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........................................................@....../.....@.......................................... ..................X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\2052\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):16242
                    Entropy (8bit):4.055338447097465
                    Encrypted:false
                    SSDEEP:384:6WOmTYUI1tR+PZBZNgANlPLE3o14BI3G7288GKGfPt0iswGcq8Z2:NU/+PZ5zOmqf1c
                    MD5:8667C04407DF32DBAE7C7553C5963745
                    SHA1:901E33C831A89062391252AE7F581CDB1D8FB275
                    SHA-256:E8B2AF11A0C37B6085FAFB053EC1C66454EF1B58C65CA45422B9150B9D2D37FC
                    SHA-512:79EC3C43FF5E599022EAD3B86367DD202A9138CF50EAEEB6106D8313CEACBFBC432E101BFB48CA2C6B43887B3738AE7470F2473D1A84CFFD6B2B882AE893E1B7
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 SimSun;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT\f1\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang2052\b0\f1\'b1\'be\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\lang1033\f0 Microsoft Corporation\f1\'a3\'a8\lang2052\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\lang1033\f0 Microsoft Corporation \lang2052\f1\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\lang1033\'a3\'a9\lang2052\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\

                    C:\1adc35b2a430ffb6f8fdcb\3082\LocalizedData.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
                    Category:dropped
                    Size (bytes):40912
                    Entropy (8bit):3.5296334743141515
                    Encrypted:false
                    SSDEEP:384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
                    MD5:5397A12D466D55D566B4209E0E4F92D3
                    SHA1:FCFFD8961FB487995543FC173521FDF5DF6E243B
                    SHA-256:F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
                    SHA-512:7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

                    C:\1adc35b2a430ffb6f8fdcb\3082\SetupResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18264
                    Entropy (8bit):5.289331878496675
                    Encrypted:false
                    SSDEEP:192:EiknnUfwVWVCe8b1S2U85ZTYG11mWPeWfQKPnEtObMacxc8hjXHUz1TrOB4i3f:Elq6Lbg2zZTf11mWPeWfLXci2jXHUwp
                    MD5:B5BAC5815E01A14C21B00B1B75BEE7A2
                    SHA1:07BEA6680D51C83D230CE9F8E849C34135BA0C50
                    SHA-256:8BA0DBB6CFF5FF4269946EC67E6F64D15083414E34646E60E18A548AFED91DFF
                    SHA-512:FDBCF102663FFD3AD615022E99B7703C9C66654FAB8E50ED580859E3334519EC99A45B931C1BA5498C92D2D56A2CB7B8A48E8AA3F061F27F7E8F6DF5D6EBB5F9
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L...0<_M.........."!.........................................................P......V.....@.......................................... .. *...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@............0<_M........+...........RSDS..{.9..H...S-.>B....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\3082\eula.rtf

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):10271
                    Entropy (8bit):5.161891329008937
                    Encrypted:false
                    SSDEEP:192:LfKlBfh7TJRSB4w6Fzm3Iuksbhu9+9GQwEeocPztyv5vFvAtUtBrCl7Yuk3LrC9w:+Pfh7TD649F63Iufbg9euEeLhMvmSQKT
                    MD5:D64D283F0AA734CDB9EDF02A6D92334B
                    SHA1:3D90A22FE198BA9E4A46D7CC78EC91DA05D29E80
                    SHA-256:7E1B4CFDE7EA549360A3B323E720F1A6CB58C64AAE823650DA5A5FFB127FE645
                    SHA-512:D54FF0BED510E84A4584F33588753B10EE7E5E2CCE95A5A834C5CE06486D683CA903F28A6E8D45C56BBE903A078367CFF8A2AFB3A2061545E5C34FA6ADDEB1CE
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1034\b\f0\fs20 T\'c9RMINOS DE LICENCIA DEL SOFTWARE DE MICROSOFT\lang3082\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1034\f0 MICROSOFT\lang3082 VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f1\par..\pard\nowidctlpar\sb120\sa120\lang1034\b0\f0 Los presentes t\'e9rminos de licencia son un contrato entre Microsoft Corporation (o, en funci\'f3n del pa\'eds en que usted resida, una de las sociedades de su grupo) y usted.\lang3082 \lang1034 S\'edrvase leerlos detenidamente.\lang3082 \lang1034 Son de aplicaci\'f3n al software\lang3082 \lang1034 arriba mencionado, el cual incluye los s

                    C:\1adc35b2a430ffb6f8fdcb\DHtmlHeader.html

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):16118
                    Entropy (8bit):3.6434775915277604
                    Encrypted:false
                    SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                    MD5:CD131D41791A543CC6F6ED1EA5BD257C
                    SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                    SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                    SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                    Malicious:false
                    Reputation:low
                    Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                    C:\1adc35b2a430ffb6f8fdcb\DisplayIcon.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                    Category:dropped
                    Size (bytes):88533
                    Entropy (8bit):7.210526848639953
                    Encrypted:false
                    SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                    MD5:F9657D290048E169FFABBBB9C7412BE0
                    SHA1:E45531D559C38825FBDE6F25A82A638184130754
                    SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                    SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                    Malicious:false
                    Reputation:low
                    Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Print.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                    Category:dropped
                    Size (bytes):1150
                    Entropy (8bit):4.923507556620034
                    Encrypted:false
                    SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                    MD5:7E55DDC6D611176E697D01C90A1212CF
                    SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                    SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                    SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                    Malicious:false
                    Reputation:low
                    Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate1.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5118974066097444
                    Encrypted:false
                    SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                    MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                    SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                    SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                    SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate2.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5178766234336925
                    Encrypted:false
                    SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                    MD5:8419CAA81F2377E09B7F2F6218E505AE
                    SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                    SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                    SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate3.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5189797450574103
                    Encrypted:false
                    SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                    MD5:924FD539523541D42DAD43290E6C0DB5
                    SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                    SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                    SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate4.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5119705312617957
                    Encrypted:false
                    SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                    MD5:BB55B5086A9DA3097FB216C065D15709
                    SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                    SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                    SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate5.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5083713071878764
                    Encrypted:false
                    SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                    MD5:3B4861F93B465D724C60670B64FCCFCF
                    SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                    SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                    SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate6.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.5043420982993396
                    Encrypted:false
                    SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                    MD5:70006BF18A39D258012875AEFB92A3D1
                    SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                    SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                    SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate7.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.4948009720290445
                    Encrypted:false
                    SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                    MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                    SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                    SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                    SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Rotate8.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                    Category:dropped
                    Size (bytes):894
                    Entropy (8bit):2.513882730304912
                    Encrypted:false
                    SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                    MD5:D1C53003264DCE4EFFAF462C807E2D96
                    SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                    SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                    SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                    Malicious:false
                    Reputation:low
                    Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Save.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                    Category:dropped
                    Size (bytes):1150
                    Entropy (8bit):4.824239610266714
                    Encrypted:false
                    SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                    MD5:7D62E82D960A938C98DA02B1D5201BD5
                    SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                    SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                    SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                    Malicious:false
                    Reputation:low
                    Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\Setup.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                    Category:dropped
                    Size (bytes):36710
                    Entropy (8bit):5.3785085024370805
                    Encrypted:false
                    SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                    MD5:3D25D679E0FF0B8C94273DCD8B07049D
                    SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                    SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                    SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                    Malicious:false
                    Reputation:low
                    Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\SysReqMet.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                    Category:dropped
                    Size (bytes):1150
                    Entropy (8bit):5.038533294442847
                    Encrypted:false
                    SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                    MD5:661CBD315E9B23BA1CA19EDAB978F478
                    SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                    SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                    SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                    Malicious:false
                    Reputation:low
                    Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\SysReqNotMet.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                    Category:dropped
                    Size (bytes):1150
                    Entropy (8bit):5.854644771288791
                    Encrypted:false
                    SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                    MD5:EE2C05CC9D14C29F586D40EB90C610A9
                    SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                    SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                    SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                    Malicious:false
                    Reputation:low
                    Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\stop.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                    Category:dropped
                    Size (bytes):10134
                    Entropy (8bit):6.016582854640062
                    Encrypted:false
                    SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                    MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                    SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                    SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                    SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                    Malicious:false
                    Reputation:low
                    Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                    C:\1adc35b2a430ffb6f8fdcb\Graphics\warn.ico

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                    Category:dropped
                    Size (bytes):10134
                    Entropy (8bit):4.3821301214809045
                    Encrypted:false
                    SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                    MD5:B2B1D79591FCA103959806A4BF27D036
                    SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                    SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                    SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                    Malicious:false
                    Reputation:low
                    Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                    C:\1adc35b2a430ffb6f8fdcb\ParameterInfo.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8958
                    Entropy (8bit):3.590720750290828
                    Encrypted:false
                    SSDEEP:192:gCSKVv3CN09VG2uSw2G2XDEj2G2KQ6G2nCw+KFl:d3vG+G/KGPGYCrKFl
                    MD5:46DB5D342D306778CAB61E413A84FECE
                    SHA1:D0885AE1F706E014015CACB0CD67CA786D0962C2
                    SHA-256:227BD903261486663665BA232B753781BAFD7AFBA68B5614AD93D6D1F5A1E16B
                    SHA-512:5DE734CE86888AE41DB113BE13B8B6652F67DE8E7FF0DC062A3E217E078CCAFACF44117BBFFF6E26D6C7E4FA369855E87B4926E9BDFA96F466A89A9D9C67A5BC
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...4.0.2.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

                    C:\1adc35b2a430ffb6f8fdcb\Setup.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):78152
                    Entropy (8bit):6.011495501326699
                    Encrypted:false
                    SSDEEP:1536:OLNItbBL5NWiiES96exWZnqxMQP8ZOs0Js95q:OLNAB9NWTZ9Tc/gBW95q
                    MD5:9A1141FBCEEB2E196AE1BA115FD4BEE6
                    SHA1:922EACB654F091BC609F1B7F484292468D046BD1
                    SHA-256:28563D908450EB7B7E9ED07A934E0D68135B5BB48E866E0A1C913BD776A44FEF
                    SHA-512:B044600ACB16FC3BE991D8A6DBC75C2CA45D392E66A4D19EACAC4AEE282D2ADA0D411D832B76D25EF505CC542C7FA1FDB7098DA01F84034F798B08BAA4796168
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........MB.j.B.j.B.j.-...@.j.Yu..K.j.Yu..J.j.Yu..u.j.K...A.j.B.k...j.-...C.j.-...A.j.-...C.j.-...C.j.-...C.j.-...C.j.RichB.j.........PE..L....<_M.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\SetupEngine.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):808280
                    Entropy (8bit):6.35945459148743
                    Encrypted:false
                    SSDEEP:24576:BS62AlYAxQ20z7TzuO5cEewDODLzNu/6K8RxvSU1Ccweb:BS62AlYAUTEpNuV8HvSU1Ccwe
                    MD5:A030C6B93740CBAA232FFAA08CCD3396
                    SHA1:6F7236A30308FBF02D88E228F0B5B5EC7F61D3EB
                    SHA-256:0507720D52AE856BBF5FF3F01172A390B6C19517CB95514CD53F4A59859E8D63
                    SHA-512:6787195B7E693744CE3B70C3B3EF04EAF81C39621E33D9F40B9C52F1A2C1D6094ECEAEBBC9B2906649351F5FC106EED085CEF71BB606A9DC7890EAFD200CFD42
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r..{!..{!..{!.H.!..{!.H.!..{!...!..{!...!..{!...!..{!...!=.{!...!..{!..z!.{!...!..{!...!..{!...!..{!...!..{!...!..{!Rich..{!................PE..L...-<_M.........."!.................................................................3....@.................................L...h....................>..X..............................................@............................................text...@........................... ..`.data..............................@....rsrc................j..............@..@.reloc..R............t..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\SetupUi.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):295248
                    Entropy (8bit):6.260043421233697
                    Encrypted:false
                    SSDEEP:3072:8DPVUK59JxkphBxIc7e+Fe2rNiw8EktfyTm0HqRi/M+sy1lQWc+pm5hxv5yhaQnt:AaygowjTMi/uVwHqKR
                    MD5:C744EC120E54027C57318C4720B4D6BE
                    SHA1:AB65FC4E68AD553520AF049129FAE4F88C7EFF74
                    SHA-256:D1610B0A94A4DADC85EE32A7E5FFD6533EA42347D6F2D6871BEB03157B89A857
                    SHA-512:6DCD0AB7B8671E17D1C15DB030EE5349AB3A123595C546019CF9391CE05F9F63806149C3EC2F2C71635CB811AB65AD47BCD7031E2EFF7A59059577E47DD600A7
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..X'.r.'.r.'.r.<f....r.<f..5.r.<f..N.r.....>.r.'.s...r.H...&.r.H...$.r.H...&.r.H...&.r.H...&.r.Rich'.r.........PE..L...'<_M.........."!................................................................y.....@..........................................P...............j..P....`.. ?..................................hz..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\SetupUi.xsd

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                    Category:dropped
                    Size (bytes):30120
                    Entropy (8bit):4.990211039591874
                    Encrypted:false
                    SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                    MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                    SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                    SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                    SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                    C:\1adc35b2a430ffb6f8fdcb\SplashScreen.bmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                    Category:dropped
                    Size (bytes):41078
                    Entropy (8bit):0.3169962482036715
                    Encrypted:false
                    SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                    MD5:43B254D97B4FB6F9974AD3F935762C55
                    SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                    SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                    SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                    Malicious:false
                    Reputation:low
                    Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                    C:\1adc35b2a430ffb6f8fdcb\Strings.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):14246
                    Entropy (8bit):3.70170676934679
                    Encrypted:false
                    SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                    MD5:332ADF643747297B9BFA9527EAEFE084
                    SHA1:670F933D778ECA39938A515A39106551185205E9
                    SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                    SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                    C:\1adc35b2a430ffb6f8fdcb\UiInfo.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):36342
                    Entropy (8bit):3.0936879258457686
                    Encrypted:false
                    SSDEEP:768:S4UR0d5v1SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v1QYQLIN/6Fmhvk71sO0Nep3q
                    MD5:4F90FCEF3836F5FC49426AD9938A1C60
                    SHA1:89EBA3B81982D5D5C457FFA7A7096284A10DE64A
                    SHA-256:66A0299CE7EE12DD9FC2CFEAD3C3211E59BFB54D6C0627D044D44CEF6E70367B
                    SHA-512:4CE2731C1D32D7CA3A4F644F4B3111F06223DE96C1E241FCC86F5FE665F4DB18C8A241DAE4E8A7E278D6AFBF91B235A2C3517A40D4D22D9866880E19A7221160
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                    C:\1adc35b2a430ffb6f8fdcb\header.bmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                    Category:dropped
                    Size (bytes):7308
                    Entropy (8bit):3.7864255453272464
                    Encrypted:false
                    SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                    MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                    SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                    SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                    SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                    Malicious:false
                    Reputation:low
                    Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\sqmapi.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):144416
                    Entropy (8bit):6.7404750879679485
                    Encrypted:false
                    SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                    MD5:3F0363B40376047EFF6A9B97D633B750
                    SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                    SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                    SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                    C:\1adc35b2a430ffb6f8fdcb\vc_red.cab

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Microsoft Cabinet archive data, 4218761 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 357 datablocks, 0x1503 compression
                    Category:dropped
                    Size (bytes):4224705
                    Entropy (8bit):7.999824074209114
                    Encrypted:true
                    SSDEEP:98304:buCaO1KF/Zn4LkYytTHmuzfgnKZ9zWs2wU2Td:buCf1KF/94Lk9TPzf9Os2wU25
                    MD5:C580A38F1A1A7D838076A1B897C37011
                    SHA1:C689488077D1C21820797707078AF826EA676B70
                    SHA-256:71C0ACC75EECDF39051819DC7C26503583F6BE6C43AB2C320853DE15BECE9978
                    SHA-512:EA3A62BD312F1DDEEBE5E3C7911EB3A73BC3EE184ABB7E9B55BC962214F50BBF05D2499CAF151D0BD00735E2021FBEA9584BF3E868A1D4502B75EC3B62C7FF56
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....._@.....D............................_@.8...........Y...e...H.........S>f. .F_CENTRAL_atl100_x86.H.C.H.....S>f. .F_CENTRAL_mfc100_x86.P....4E...S>f. .F_CENTRAL_mfc100chs_x86.P.....E...S>f. .F_CENTRAL_mfc100cht_x86.P...0OF...S>f. .F_CENTRAL_mfc100deu_x86.P....JG...S>f. .F_CENTRAL_mfc100enu_x86.P....!H...S>f. .F_CENTRAL_mfc100esn_x86.P... .I...S>f. .F_CENTRAL_mfc100fra_x86.P...p.J...S>f. .F_CENTRAL_mfc100ita_x86.P.....K...S>f. .F_CENTRAL_mfc100jpn_x86.P.....K...S>f. .F_CENTRAL_mfc100kor_x86.P...`^L...S>f. .F_CENTRAL_mfc100rus_x86.P}C..KM...S>f. .F_CENTRAL_mfc100u_x86.P?.......S>f. .F_CENTRAL_mfcm100_x86.P?..P.....S>f. .F_CENTRAL_mfcm100u_x86.Pm...G....S>f. .F_CENTRAL_msvcp100_x86.P.......S>.. .F_CENTRAL_msvcr100_x86.P...@.....S>f. .F_CENTRAL_vcomp100_x86.P3...K....S>f. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8..^b..:..[......+.."SP$......W..de`e. .(.$.gV...2..X.A....*..y....v..a.....v......+.A.Q...k....,.<..`f..F........4.]..l.|wq..\..\../.[.=Y..nG.

                    C:\1adc35b2a430ffb6f8fdcb\vc_red.msi

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                    Category:dropped
                    Size (bytes):163840
                    Entropy (8bit):6.375644516596573
                    Encrypted:false
                    SSDEEP:3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
                    MD5:3FF9ACEA77AFC124BE8454269BB7143F
                    SHA1:8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
                    SHA-256:9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
                    SHA-512:8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
                    Malicious:false
                    Reputation:low
                    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\1adc35b2a430ffb6f8fdcb\watermark.bmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                    Category:dropped
                    Size (bytes):309032
                    Entropy (8bit):6.583379857106919
                    Encrypted:false
                    SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                    MD5:1A5CAAFACFC8C7766E404D019249CF67
                    SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                    SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                    SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                    Malicious:false
                    Reputation:low
                    Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Config.Msi\42b854.rbs

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:modified
                    Size (bytes):432598
                    Entropy (8bit):5.94767156452672
                    Encrypted:false
                    SSDEEP:6144:W7vgqkZ7YvjX2Je7vgqkZ7YvQGScfvkY3pEFmklfAi:wvgqkZ7YvvgqkZ7Y6
                    MD5:F4E8D8CC68519DC3A9754D88E1940157
                    SHA1:3FEB8EB174A33A5B9E7BB1F3C5C423B9555FEDDC
                    SHA-256:FCD6669A2521CDB4C221BEE40EC751EEA1D878EF44C3AE2CE9D1C48310F71A4F
                    SHA-512:A8F37231124599BDEC97ACC20983E53EA782E40BF44129E51C676886C2690F63AB1CFF5DAC69C19B9B426CEC1F4805048E0F148796D5542A54CA850DCBE721AE
                    Malicious:false
                    Reputation:low
                    Preview:...@IXOS.@.....@.=>Y.@.....@.....@.....@.....@.....@......&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}(.Microsoft SQL Server Compact 3.5 SP2 ENU..SSCERuntime_x86-ENU.msi.@.....@.....@.....@......ProductIcon..&.{84395861-2117-43CE-9029-6D1A73F6929A}.....@.....@.....@.....@.......@.....@.....@.......@....(.Microsoft SQL Server Compact 3.5 SP2 ENU......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{309E848F-658B-4419-AC6D-FF3BAA5E71A7}&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}.@......&.{4293DF50-7F0E-47F9-1033-4662ABD730B5}&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}.@......&.{D5ED5BEE-1033-4134-A902-6ED3C0537565}&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}.@......&.{C61FD46E-3E0B-4D54-B715-6AB6FF9C92D5}&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}.@......&.{24D886CF-AB3A-46F1-86CF-CDC0F1B9FF43}&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}.@......&.{A541BA6B-D87D-474E-8EB2-E6E947BBD677}&.{3A9FC03D-C685-4831-94CF-4ED

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):296816
                    Entropy (8bit):5.856355922703588
                    Encrypted:false
                    SSDEEP:6144:4at6IwKl/oz2K2f0Ej5gM46OzF7WUfCCTjmr0MoqZDAAjR1LMSfnPMy/Krr0tvzZ:4at6IwKqyPLpnPMXQNzMm
                    MD5:85816EAB04B6AE8EB154C962E32D5AC8
                    SHA1:7293CA01C5F91FD637F4EE814AA5CB8B0EC584A3
                    SHA-256:CA059CEC59A78539B8534C6BA6F73E37FCF9931E2085070A0681814E3E332DB7
                    SHA-512:87677886F11A21AB0C745AFC4C6F1887EB88A6D426EF5C105B6B30370388D7F026B886CFAC8A06D2DA735102731A748BC173F11DDA0985220C6C9194ABECE58E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-;tK...........!.....@... ......^X... ...`....... ..............................49....@..................................X..W....`..p............p..p...........tW............................................... ............... ..H............text...d8... ...@.................. ..`.rsrc...p....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\EULA_ENU.rtf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                    Category:dropped
                    Size (bytes):10333
                    Entropy (8bit):4.959824336163232
                    Encrypted:false
                    SSDEEP:192:afz57PWJa95+nEukuzXKPV33qzIAd4s9MMnlmoU4MUcP2lZigm49W8V99SH12:wPWJw5+EukuTKNHqzIAd4s9/8oU4nlZP
                    MD5:913AB761C1C4C94D9847A165960DB242
                    SHA1:4BC008B21B30211F928EED4323E473BD8E295B3E
                    SHA-256:AAC4D6A88785284A57089F6C44D3C44EAFF94AF7CE76A77678F1927D77B2223F
                    SHA-512:B27A0B9360CA82F0C895AEFDE3205ACB36D5DE11287D2A7D61ACECFA747E6B78443804449BA57129682CCCF4A7BA57BE8AF5B574F38B5DF428A68240674FAB1C
                    Malicious:false
                    Reputation:low
                    Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue0;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}{\s3 heading 3;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT SOFTWARE LICENSE TERMS\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT SQL SERVER COMPACT 3.5 WITH SERVICE PACK 2\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0\fs19 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\par..\pard\nowidctlpar\fi-363\li720\sb120\sa120\tx720\f2\'b7\tab\f0 upd

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.Entity.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):231280
                    Entropy (8bit):5.630521898235723
                    Encrypted:false
                    SSDEEP:1536:+QvdjF+8NvPVc4xe3fILpE610bmFpfq46Mw7vxAna449rHU:+QRP3Vcxqm61XFpq4qAa449o
                    MD5:A315C09962992104D43EAA19A7AFB7E9
                    SHA1:2A5910EFE487C94A9295B1A5782C15EB7AA39DA6
                    SHA-256:B6AFC59555B9A3A57D0B7DA26A2D8C07DD66D79304A8FFD0D11B37A2EC1CDBF6
                    SHA-512:7A29830CEA2166E8EFE4FEE5846C4AC074BB7F8539F2ACD3A2C790BCA37025B485E07AF26BCC953A1665C60F6FE5E0CFC609BD254309419EF2BB29A7E3734889
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>;tK...........!.....@... .......W... ...`....... ....................................@..................................W..K....`..h............p..p............W............................................... ............... ..H............text....8... ...@.................. ..`.rsrc...h....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Private\System.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):296816
                    Entropy (8bit):5.856532764538962
                    Encrypted:false
                    SSDEEP:6144:nat6IwKl/oz2K2f0Ej5gM46OzF7WUfCCTjmr0MoqZDAAjI1LQSf9PMy/Krr0tvzL:nat6IwKqyuLl9PMXQNzj3
                    MD5:FFB3E32B9B69EFEF5AFA96DAA023AADA
                    SHA1:9BC6783FFF6FC3B5B3B0D8C54CE900182A889228
                    SHA-256:ADC4AD91BC1F5E170E500BF022E975DADDA5B9986EADED953CB09A934BE6B23A
                    SHA-512:8BDBC04BFE92060FC83F6226101918DDEDB736EE6AE27CA4A183FCFC45DF3E74755719EB5837E467B9678B99C3CF834DB4384D7947D80FEE08754499C67A8D0A
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../;tK...........!.....@... ......^X... ...`....... ..............................L.....@..................................X..S....`..p............p..p...........tW............................................... ............... ..H............text...d8... ...@.................. ..`.rsrc...p....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\REDIST_ENU.TXT

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (450), with CRLF line terminators
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):3.542424268066296
                    Encrypted:false
                    SSDEEP:192:T3C6Piv/hnSsnQNP4N7NrNVN1NINQNhQNh4K:VPiv//nQNP4N7NrNVN1NINQNhQNh4K
                    MD5:5CF6A059BADCD87C8CCA23E65108EDF7
                    SHA1:2AA71B180A2F6454677BB1A316DBA4F26AB07A67
                    SHA-256:79982913EA730D365BFE6DC6FC869EBA3C1391B972DE3C92B6B529E37D8944C7
                    SHA-512:12FA92DADF8B3DF67A98CCD87CE80F4ADE91BAD3B4BEF008CA2CCF0EF899B75052CAD001EF26A86BAE6D7630AFAD0BB4514EDEC0642CBD56A1442E620002197B
                    Malicious:false
                    Reputation:low
                    Preview:..T.h.e. .l.i.s.t.e.d. ...m.s.i. .f.i.l.e.s. .e.a.c.h. .i.n.s.t.a.l.l. .i.t.s. .e.n.c.l.o.s.e.d. .c.o.m.p.o.n.e.n.t.s. .t.o. .a. .s.p.e.c.i.f.i.c. .l.o.c.a.t.i.o.n. .o.n. .t.h.e. .d.e.s.t.i.n.a.t.i.o.n. .c.o.m.p.u.t.e.r... . .T.h.i.s. .h.e.l.p.s. .t.o. .e.n.s.u.r.e. .s.e.r.v.i.c.e.a.b.i.l.i.t.y. .a.n.d. .t.e.c.h.n.i.c.a.l. .s.u.p.p.o.r.t... . .T.h.e. ...d.l.l. .f.i.l.e.s. .e.n.c.l.o.s.e.d. .i.n. .t.h.e.s.e. ...m.s.i. .f.i.l.e.s. .a.r.e. .a.l.s.o. .a.v.a.i.l.a.b.l.e. .s.e.p.a.r.a.t.e.l.y. .i.n. .t.h.i.s. .r.e.d.i.s.t...t.x.t... . .H.o.w.e.v.e.r.,. .d.i.s.t.r.i.b.u.t.i.o.n.s. .o.f. .t.h.e.s.e. .s.e.p.a.r.a.t.e. ...d.l.l.s. .m.a.y. .r.e.s.u.l.t. .i.n. .i.s.s.u.e.s. .o.f. .s.e.r.v.i.c.e.a.b.i.l.i.t.y... . .F.o.r. .m.o.r.e. .d.e.t.a.i.l.s.,. .p.l.e.a.s.e. .s.e.e. .h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.9.4.5.8.9.........P.r.i.v.a.t.e. .d.e.p.l.o.y.m.e.n.t. .d.e.t.e.c.t.i.o.n. .v.i.a. .B.r.e.a.d.C.r.u.m.b.:. . .P.r.i.v.a.t.e. .d.e.p.l.o.y.m.e.n.t. .o.f.

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ReadmeSSCE35_ENU.htm

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):360786
                    Entropy (8bit):3.701704995253658
                    Encrypted:false
                    SSDEEP:3072:pOlgWAyjv8FxsAzXokT9dIykNY1rZA2K+QE7pmnNLINvZ2NQeRN3R+1Dr0Sl4l9S:yBNLivZ8Qeb3R6S6mVqT
                    MD5:78ED4FEC4B43F7C0C9EC06C1E25101DD
                    SHA1:64E500CF17EC739973B54C93688F6C3CC6B842F9
                    SHA-256:EEADD4F6BD5A7BEE848066A4D6870E3FAD9C33BB7DDD25225497BA4E9E95FF79
                    SHA-512:90ADC9F9CCEB166983AE6E4C1FED6B13EFC1572E2E6A1B0939C3C91E9220869E74C9138D9C0486E910178D87BE23C7748884F6E3E781086460925A4E89115AB4
                    Malicious:false
                    Reputation:low
                    Preview:..<.h.t.m.l. .x.m.l.n.s.:.v.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.v.m.l.".....x.m.l.n.s.:.o.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.o.f.f.i.c.e.:.o.f.f.i.c.e.".....x.m.l.n.s.:.w.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.o.f.f.i.c.e.:.w.o.r.d.".....x.m.l.n.s.:.m.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e./.2.0.0.4./.1.2./.o.m.m.l.".....x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.R.E.C.-.h.t.m.l.4.0.".....x.m.l.n.s.:.n.s.0.=.".h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.t.o.o.l.t.i.p.".....x.m.l.n.s.:.n.s.1.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.l.i.n.k.".....x.m.l.n.s.:.n.s.2.=.".h.t.t.p.:././.d.d.u.e...s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.a.u.t.h.o.r.i.n.g./.2.0.0.3./.5.".....x.m.l.n.s.:.n.s.3.=.".h.t.t.p.:././.m.s.d.n...m.i.c.r.o.s.o.f.t...c.o.m./.m.s.h.e.l.p.". .x.m.l.n.s.:.n.s.4.=.".".>.........<.h.e.a.d.>.....<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.C.o.n.t.e.n.t.-.T.y.p.e.

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.Data.SqlServerCe.Entity.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):231280
                    Entropy (8bit):5.630305867257215
                    Encrypted:false
                    SSDEEP:1536:fQvdjF+8NvPVc4xe3fILpE610btFpfqi6Mw7vRAnaur9rHUe:fQRP3Vcxqm618FpqiGAaur9o
                    MD5:7926DFA947540661B2CC1A1F687F6EFA
                    SHA1:6E62386FDE80AF9B9E29B6B2461D016B1E7108C4
                    SHA-256:4499D32DB4FD8CDF981EB9D255A7B3DA2019A5B544144033C7B6C42725C540FC
                    SHA-512:EDC2DDEA636EEF47A506F106E3228EA8CFF4633696B300B67A521C455E9EC57F45A9BFC792396BB20C9F36B89C0B9B4AC456E3A0EF576A9AF8FACDF4397DD416
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<;tK...........!.....@... .......W... ...`....... ...................................@..................................W..O....`..`............p..p............W............................................... ............... ..H............text....8... ...@.................. ..`.rsrc...`....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):342384
                    Entropy (8bit):6.3727462032763755
                    Encrypted:false
                    SSDEEP:6144:EcK7mKpypvhHxLXkybCRPw6ms0xH92uahcSzKVOhGmDwfbhHYO8X/XIZni:Ec/UghHxLXkymPc9d6c+KVOhGlVo
                    MD5:48D3292A287A2454801B923B1166F489
                    SHA1:FBD7501F6A9B46E664AA82D4B569625E4AB20C6D
                    SHA-256:84C214605381C5FAAEAC7F89EDBBC8C9BDCA2DAD6284377CF0ACCD6395170099
                    SHA-512:80B8523EF1C5010FAFF3D319186A53019A9113609F6F27B35294BDFF4899E533F4CB6F997099361B41DD71854E7D4FE06E1A2157A0F0CF72FA1A0BF46A21113F
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................C.....6A......C......b.....b.............[........C......C......C....6........C.....Rich............PE..L....;tK...........!.....r...........i............e}.........................`...............................................s..........`d..........."..p....0...'...................................................................................text...Vq.......r.................. ..`.data...(+...........v..............@....rsrc...`d.......f..................@..@.reloc...-...0......................@..B................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):83312
                    Entropy (8bit):6.369000439509116
                    Encrypted:false
                    SSDEEP:1536:ZtqJybrq6t/mnsPkrcJwtk+GNeFtiU7LbPvyt2oA7jW5BkOQLCx95:2Jybrq6t/mnsP4NKN6tiSqNA7j0kOQLg
                    MD5:01B005BBB9E4C92990B27A06ABD26858
                    SHA1:2E2E66C43FD3C8680BE860DD0F8717FC499AF28D
                    SHA-256:8E67E467456207AD5FD8F9582126D197541B5931DCDE612C284EA4469C88E675
                    SHA-512:C3A8A829140F8AF6C4FAC88C6AB15293861607A2C424F7C2106DAE672EB3FBCEA1A3CF874AD6DC78072F6F57C1DCCAB4859D6BC6075EF3FBA97202A20302CA47
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[..........].....r_......]......]......&......&.........{...........]......]......r.......].....Rich...................PE..L....<tK...........!.........................0....0}................................j............................... ...O.......d....p..P...............p...........`................................................................................text...o........................... ..`PAGELK....... ...................... ..`.data....:...0......................@....rsrc...P....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):147312
                    Entropy (8bit):3.811328908350425
                    Encrypted:false
                    SSDEEP:3072:Ukhc6lqUC23HX/JpgHSDyEHf4eg1hK9iP9o:UgTkl
                    MD5:88E69D845B1513634AF2FD0E725F9A29
                    SHA1:58E62911B1640D4018042A05034376D5AFA0A63E
                    SHA-256:3145449717F75823A4C5856CC68BF9A9ED540AF899C948853207F35E396ED319
                    SHA-512:721AC60CCC695E2CDC7BD6170D1056F7C5AD659F248717DE96BCF0B3F09CBC6967F79093E78D2761A5FA76FA7A89A4A88B368BD40DEB99364DDAB4FD2BF94189
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......73H*sR&ysR&ysR&yT.]yqR&yT.[yrR&yT.Ky.R&y.]{yvR&ysR'ylR&yT.\yrR&yT.HypR&y.qcyrR&yT.^yrR&yRichsR&y........................PE..L....;tK...........!......................... ....@..........................P......................................`...S.......P....0..D............(..p....@..........................................@............................................text............................... ..`.data...\.... ......................@....rsrc...D....0......................@..@.reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):63344
                    Entropy (8bit):6.237156911588381
                    Encrypted:false
                    SSDEEP:1536:EJmkbCF8EcgHjBv2GDqcTekOq+Fxlj9rHUJ:2NbgXVv2ezTekOPrlj9o
                    MD5:1AC99F626C7B67616123887EABA4780C
                    SHA1:3ABA4EC8ECA0950C648BD5A68EB80C8218478B4E
                    SHA-256:FA97E2AD9EEEAEFBF1162D7D708FB30222BE25FDBC804AF6E44097486CA2347E
                    SHA-512:D99CE1CBB4A899FFC4FE42B197486FDB18845A70DEAAE40C9611B2F58E98B7CBAC75AC4D4C961BF22C6A000D8429DA017BBF7A1DC70359A4D6B39F0FA9DCED0B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........ZS..4...4...4...O...4.~.J...4...Y...4...I...4.*.k...4.*.i...4...5.m.4...N...4...Z...4.~.q...4...L...4.Rich..4.........PE..L...G<tK...........!.........6.......n............5}.................................%.........................................x........)..............p.......$.......................................@...............l............................text............................... ..`.data...............................@....rsrc....).......*..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):169328
                    Entropy (8bit):6.417845601370202
                    Encrypted:false
                    SSDEEP:3072:OMJ2xXH2vXwhoTLz/zXxE6ZAwzzUCUPAoJsq8KjglGOdls+KLF79+6/TkO+GsR3G:OBXH2ioTDXxE6ZAw0CUoKjCsZr/TkO+c
                    MD5:C3BA67167ABFAC31C39BC959B250CED8
                    SHA1:AE625D21C22528697AE771247366DDE792FBFB22
                    SHA-256:227F1ADE7CC250F00B9327753E1D8AE6247F921B001B27E61226CE86B4B5F096
                    SHA-512:7131D74702901CB2E05B0E2F98829A7219D3A3FA2360A079C43121BE4D7F03FD845722DD8C41BADF319B07ED8DAD30328E093ABA316D2390C5FDFBDBE676DC52
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..EA._EA._EA._b.._GA._.._DA._b.._KA._b.._FA._.N._LA._EA._&A._VI._hA._.N._vA._b.._DA._b.._fA._.b._DA._b.._DA._RichEA._........................PE..L....;tK...........!.....2...H......r........P....@}................................. ..............................@A......49..x....p...............~..p........ ...................................p..@............................................text....1.......2.................. ..`.data... ....P.......6..............@....rsrc........p.......J..............@..@.reloc...(.......*...T..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):640880
                    Entropy (8bit):6.560410607742259
                    Encrypted:false
                    SSDEEP:12288:r2kVVmz1d2v71ToxQ8xFKmneGLGTbPTvl6frE+Pp5haZkVwH8sFz0:6k8d2WNC/YGDd8np5sZka0
                    MD5:36CCD0CFE3FC326260BAA7425BDE5C9A
                    SHA1:1F070C3125A26F7A45378539DF352400C91FD027
                    SHA-256:84C5AFB1EA50321210E1C0D74BAF59FD47B256ADCD3E360CA170F02DC5DDEF7B
                    SHA-512:AC29E0D35FF4A704E0E73A6AB66FD7515E5D5A2CE993FEB38210A2D46CFDCC13D6A65803BD899AA4E4BF31CED8AB9914D7B6C80319B78223FB4E78F30B6B80BD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.t...t...t......t..o....t......t..;{...t..;{...t...t...t......t...W...t.....6t......t..oW...t......t..Rich.t..........PE..L....<tK...........!..............................u}................................a...................................~............`..................p....p...a......................................................8............................text............................... ..`.data... ^.......X..................@....rsrc........`.......@..............@..@.reloc...g...p...h...H..............@..B................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):361840
                    Entropy (8bit):6.553116599557057
                    Encrypted:false
                    SSDEEP:6144:lXy6pDb3Wqf6lC7v8rGw4MpwtfbCy476bmB1EnDY4qSFyHPS7ngE8kOrkTK+:rCqSlCb8X4Qw9bg6b/Y4qSbnK+
                    MD5:958582542E5827C3B1B191F1C6C123F4
                    SHA1:AD43B8E9D7C7908E0A24548267EAAED71DF53449
                    SHA-256:94CF89210F733AB8625750923335D60B52D0D26F084A39670C41ED247CFC2FB6
                    SHA-512:E4170FB6CC50BAFF533622428750CB2B09AE59A69E4AF486F485A97ADA18D3B9725F0320870CE16BE3E9404CF49BF084455E40361FB4E8305A91EE14E0870DF9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.....Z..Z..Z06.Z..Z.4.Z..Z06.Z..Z06.Z..Z...Z..Z..Z..Z...Z..Z...Z+.Z...Z).Z06.Z..Z06.ZY.Z...Z..Z06.Z..ZRich..Z................PE..L....;tK...........!.........`...............0....U}................................%...................................s.......d.......x............n..p........)......................................................,............................text............................... ..`PAGELK.............................. ..`.data...PH...0...$..................@....rsrc...x............2..............@..@.reloc...2.......4...:..............@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.Server.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):115744
                    Entropy (8bit):5.568536524162558
                    Encrypted:false
                    SSDEEP:3072:CwiXrhJzera3SCvvcgcWc+IEZ1GNF8L8Cy/D:+rhJzera3llIEZ1Vg
                    MD5:DA5EE020BEF41DC95C3532CBAA1EA8F4
                    SHA1:6053C6FAD74F8B47494609AF439244E69D262B16
                    SHA-256:2E933B9823F15038EAF786F0898DF03508A17ACE8620A404EDF5229AEA0B9F18
                    SHA-512:6E2FF7406D22B3FA42F3A34519F8775559080E12B3F68840012E87ACF654C21F65D8599EC42A9B6F908AB1F621C0ACAD517E85B589D38F6D06E4EB603A37C7A7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.+H...........!.....p... ......N.... ........@.. ..............................^..........................................W.......H............... $..........L................................................ ............... ..H............text...Tf... ...p.................. ..`.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):92016
                    Entropy (8bit):5.298427268425719
                    Encrypted:false
                    SSDEEP:1536:MQFhnnyxmTD/cy6EowJk/JtMNxLq2nGafMP3aQmJS9zq2igAMXsJZYDrAUc/OnJa:MQVD/cy6Eow2/JMlnGaUPqQmJSJq2inx
                    MD5:8004FB800AC43E123710860939C02912
                    SHA1:03C9B998F4ADDAF4E4F08D6BF2393593D98B0840
                    SHA-256:B2BF18F9A9F19C0871836D3B8A8896C3F41AFA48944ACC117DBE0301BE0D2203
                    SHA-512:F7888C1D9539B6E3B9F22CF97CE3AB48E14648F69FEA97A4F877C90C02AF07032634BFAB35312C90E5F27E0B45889D2F2EE5D0E7E6FB67EF32680220D38BDCB0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8tK...........!..... ... .......9... ...@.... }. ...............................O....@..................................9..S....@...............P..p....`.......9............................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):115744
                    Entropy (8bit):5.596891250705777
                    Encrypted:false
                    SSDEEP:1536:UJeV8Td6HjYZDzyaqPuQr2cQHZcYHwwpAfqfJsssh8Cu1:UQV8TtDzbqPuRSrssh8Cu1
                    MD5:01B68622F7B4A699D52F9A0B5EA5E4EC
                    SHA1:E3656EA1D320F475F2484EB3DBA8FD3050487327
                    SHA-256:FCBB269DB40C672FFCFB0B9D82E7958F2C746E7476671FA704DD4FB025527048
                    SHA-512:66DF55A5D40A20824A92A4918B31D51ADAF6773E32B6E889C7F8DEFEA9F7CE515F635164DAC6EB4E7DCD8A71DF297D199F138945B78F868FDF4BCBE2547D9D17
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.+H...........!.....p... ........... ........@.. ......................................................................`...K....................... $........................................................... ............... ..H............text....k... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\ReadMeSyncServices_ENU.htm

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (1080), with CRLF line terminators
                    Category:dropped
                    Size (bytes):19831
                    Entropy (8bit):5.046728669542809
                    Encrypted:false
                    SSDEEP:192:i76ioab+hqfwegwiX1xBt3Ufs5fh0QgLpoh3p5KZ/Mv2CJOTxnA9zqH4BS7EHIln:i7WyJaxKRiJOTdAtqH4+bGnnIWuZ
                    MD5:41EE7EB940AA7753C8D1044F78CB0602
                    SHA1:84D49A9FF71D20DEB7C2F4A7F03CC330FA5D7681
                    SHA-256:76BF7BAE9309F3F31B8A30DC4EC9FA700CB38B51339D4161DC34186655FBF81F
                    SHA-512:6971CCF58D818BC57FD110CB04945C04E27752A2CB28D4C007D699586537AACE865C61B5B27DC859437BE8773F63F9EF37648787DF55D61FDBCAB050F37009C0
                    Malicious:false
                    Reputation:low
                    Preview:.<html DIR="LTR" xmlns:tool="http://www.microsoft.com/tooltip" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ddue="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">.. <head>.. <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8" />.. <META NAME="save" CONTENT="history" />.. <title>Readme for Microsoft Synchronization Services for ADO.NET</title>.. .. <Style TYPE="text/css">....body..{.. background: #FFFFFF;.. color: #000000;.. font-family: Verdana;.. font-size: medium;.. font-style: normal;.. font-weight: normal;.. margin-top: 0;.. margin-bottom: 0;.. margin-left: 0;.. margin-right: 0;.. width: 100%;..}....div.#mainSection..{.. font-size: 70%;.. width: 100%;.. padding-left: 10;.. margin-right: 10;..}....div.#mainBody..{.. font-size: 90%;.. margin-top: 10;.. padding-bottom: 20;..}....div.#header..{.. background-color: #D2D2D2;.. padd

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\BusinessObjects_KCDefinitions_dfo.xml

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (4704), with CRLF line terminators
                    Category:dropped
                    Size (bytes):5651
                    Entropy (8bit):6.111171573386341
                    Encrypted:false
                    SSDEEP:96:886TDc2qp802rQxVhy6a9xInsPkAWtyO9yxTy/X7DCkb3NBn7CC3f6LBn7Nzr:886TDc2qKbrQxta/g3Upy//Hn/3f697l
                    MD5:0B801B3BF00A5BA78062FCD8264761C5
                    SHA1:34C3FAFC4D15A19A1D88B17CA917B0C4A2640B84
                    SHA-256:0B95A508EEF78124BDCD427107E325E93ABDBEC429F21E58F3EF33A632FB4581
                    SHA-512:6CDCD2FD1D09A01068EF37C736A63969F6534F857C8E6266FE3792449758218281EC0BECF3D540605D1A88BAF32F3D1ECAE35A954FAA8D839134705E67A58462
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="utf-8" ?>..<plugin xmlns="http://www.businessobjects.com/BusinessObjects_pin.xsd">...<propertybag name="CrystalEnterprise.KCDefinitions" type="Infoobject" flags="0">....<property name="SI_NAME" type="String" flags="0">KCDefinitions</property>....<property name="SI_PARENTID" type="Long" flags="0">24</property>....<property name="SI_CUID" type="String" flags="0">AY3yXZy9I2RHtz3YNTWxAk8</property>....<property name="SI_HIDDEN_OBJECT" type="Bool" flags="0">true</property>....<property name="SI_KIND" type="String" flags="0">KCDefinitions</property>....<property name="SI_PROGID" type="String" flags="0">CrystalEnterprise.KCDefinitions</property>....<property name="SI_SYSTEM_OBJECT" type="Bool" flags="0">true</property>....<property name="SI_DATA" version="8" type="String" flags="0">eJztXVtz4rgSft8fk7J8d/mJATJhJ2xYYC5Vp05NOaAkrgHM2iaT1Ob899PyTW0MDhBIbKOHmahlRy13f1+rLcnKf1qti+7CuZ3R9qDdtzNp1LpBws0Pu3WZCJ0+Lw9w2adTdxK63oLXjQZtJNAwsD/ddC8+9VoLZ/YchF8D6qdV31z6m/qo5qZ7

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53696
                    Entropy (8bit):5.282311713199979
                    Encrypted:false
                    SSDEEP:768:/yt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/DMCUs5JR:KWiHkGDDWcym6Ryu/ZYVMC/5JR
                    MD5:D1C64EEDAB7C5964F2F81C710B5F5677
                    SHA1:656E54AF98D0455FC72AFC58D68BD1C99F72987A
                    SHA-256:05555053A0F1F30BDC5E2E2F04AA78910BA66C1CE67CEFFA79BAD13CEB9030A6
                    SHA-512:7A38662FC7F68854EE2158C5F83D488EBB8D414AA1A26327E23CC811D91256783EE67166648ECAB526389CAC8057DD041373A11DAC3D4C440F5941128EF66E3C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ......................................o............................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53184
                    Entropy (8bit):5.260084013832918
                    Encrypted:false
                    SSDEEP:768:4t8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/DuNJ4s5JE:4WiHkGDDWcym6Ryu/ZYVuvD5JE
                    MD5:F34A350F68189549F8D3F36C1EDD47D5
                    SHA1:9D149361E06DFEE565F4CED65C5C7E6CC4B22F37
                    SHA-256:CF80478C6C226C3335530358C7F83B83EE52A38E714790724B2EB0CD60DEC4E4
                    SHA-512:546DAD49E35BF7D97B63EF562337DAA5E28C67CB0C159C856B0D01F65767614A9923A9F92B214149D6EEA623CA8B76AA35AD0FD826D554E2037D33F9BFB7E6A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .......................................p.............................. ..Y............0..|............................ ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53696
                    Entropy (8bit):5.243980360848507
                    Encrypted:false
                    SSDEEP:768:St8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/Dohh0lDs5JiD1:SWiHkGDDWcym6Ryu/ZYVRl45Jix
                    MD5:4E98E148DA0687787EE3FA9395524EF9
                    SHA1:1B0F97089D1D409111F5215377EE84A761111ACF
                    SHA-256:5FCDAA84FE0C4200B9680A46C4543CBD06113E17411E4F1D0D810FAC94E606FF
                    SHA-512:C0800A8CB0806D922F150616CB150906B13F78A68E27624BF46705179EA52C35DF0ADBA12DD307F72E747FEE97CCA77ABA65C3A519E89064E017FD7F22CDDFF5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ...................................................................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53696
                    Entropy (8bit):5.297795352663743
                    Encrypted:false
                    SSDEEP:768:mt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/D7MsANntxs5Jp:mWiHkGDDWcym6Ryu/ZYV7Msmntu5Jp
                    MD5:EAC56F27B8313E7729F0E50BD0E5534C
                    SHA1:0CF5AFCBB9F0E6443D01A590040D3B8DF50C08B4
                    SHA-256:A57AE54953713EFC983795D792B0C9020BEB1C83AB3625495E0F2012ADFDC7FE
                    SHA-512:FA68BC033BEC7B43280E8608E758C729FFE8F227687D93503358F21B0154B34732760D38CC1222A0A1823642D4785E14306CFE9E1CF2AF7EC1C62AF1359ED8CE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ...................................................................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53696
                    Entropy (8bit):5.246348895053847
                    Encrypted:false
                    SSDEEP:768:ct8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/DC++Qs5Jo:cWiHkGDDWcym6Ryu/ZYVC++b5Jo
                    MD5:F74262D63D4DB501CF934FE2725CC886
                    SHA1:917267255CCC8FD6BF146D4C4432E712BD76E7F8
                    SHA-256:22701339064DECBD9B848FE5525F2F712DEBB0CFAB7BFADC1458F33580C53783
                    SHA-512:2C3C6B6E6A6DBC4F6079D76865226155197906AABF078BD8F9F0D256C0D41EA6A703D50F55893AC3E11B6E74920875117408B548D8C75FE2F5DFF057B999C2E5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ......................................E............................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):54208
                    Entropy (8bit):5.264276648384574
                    Encrypted:false
                    SSDEEP:768:vt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/Dyhit5Ms5J5ezyj:vWiHkGDDWcym6Ryu/ZYVyhit5X5J5Dj
                    MD5:E0B27338FA368676E3D6D76193AD0D71
                    SHA1:142F38F12B8EEA7DA03681B2C1D472D43DA8AE47
                    SHA-256:F038021402097121EAA2BA6BD8C4C81E0229348C4A136061130B3CFBB71AD0CA
                    SHA-512:6557C28719C0E498010E8551ECFD84DB0A3A8876A9BD5C161B78B058DD8EBC18FDC0E930BA9CC4341A8471F01D6275D4B0E74C8106D505D74162E422E792A49A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ...................................................................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53184
                    Entropy (8bit):5.268652702642258
                    Encrypted:false
                    SSDEEP:768:Ft8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/D7HAviclcs5JD:FWiHkGDDWcym6Ryu/ZYV7HAviclH5JD
                    MD5:987F4CFDF81C89DF85B1C30200470E52
                    SHA1:E105A4E6E20D01C65199D418C59B6AF926A74BF4
                    SHA-256:253346589DD5836DF45FB30AEAA00D29675A6E53E3CE104E83086B3EFE70682F
                    SHA-512:D54D898D9CB0EC3F9BFB4DCF6F6442D07F4C275E52517DE89D553702F4DD4E3C614B67A51C90410962EF5592586B8B299225BD859F74EAE44FC5F27020DC2C83
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ......................................k............................... ..Y............0..l............................ ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):53184
                    Entropy (8bit):5.4493147710142305
                    Encrypted:false
                    SSDEEP:768:Lt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/DpHaphOs5JpF:LWiHkGDDWcym6Ryu/ZYVYphR5JpF
                    MD5:C031F2BFE10C4CC8B42D1EC1C6C92C14
                    SHA1:F718D3409F4656BBE8D785A5F5EAA0A2B994B531
                    SHA-256:9F554F4BE2AC085EAAD3A975C61AA43D541A9E2E16F59D0128CDA8F82609382B
                    SHA-512:F1F020D960AD440F5909E87F7637C877D74EA904C37752C3B431966B1A651B607EBE9A7B648F20CAF642DAD5013B38967CEC0B50FC35C4E451FF3DE2D4196ABA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ......................................_............................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):51136
                    Entropy (8bit):5.406904677781391
                    Encrypted:false
                    SSDEEP:768:Jt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/DFVs5Jm:JWiHkGDDWcym6Ryu/ZYVFy5Jm
                    MD5:A3F01C935F99508E53EBF91A87274B3C
                    SHA1:AE847E57E8B6B19BDCEC5D6ED9852A000C359B3C
                    SHA-256:796543D10AF370114B14B8494D27ECEAC4E0DD20DC00764CE2D2BE28E573C775
                    SHA-512:64813EAAA2CE45530754AC328CB102AC26560C6C30E999BE8ECA75584BF4DFC252A80FC67557450C16942977907DBEA186E13B94C983489ECC5E6C23C2ED5C37
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ...................................................................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\PrintControl_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):51136
                    Entropy (8bit):5.406910612051012
                    Encrypted:false
                    SSDEEP:768:dt8iH7Wd+EO/3T4fgWMiyj1Mm6jAcpIb6AGp/RY8U/Da/xs5JF:dWiHkGDDWcym6Ryu/ZYVuu5JF
                    MD5:01A03670BB5FB0A79D5224D58CCB60B6
                    SHA1:DF3110EFE494A9355F879AAA60BE0781A2F13AC0
                    SHA-256:47CC580476102BC870523A57060249094B829172D2D994710DE2F129050E9D6A
                    SHA-512:760F363FA949A4E4C404F05D1E050B44DA37C056F3ADD5515A3F15EA9CC8B73B8F713C71A70858ACD142BF8D93EFFA8A5AD74D3028E73ABA5BF658252001D687
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ...................................................................... ..Y............0............................... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.630791174492886
                    Encrypted:false
                    SSDEEP:192:ajRYwic6ZssGb4nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rva7Fc:mRYcasxMnYPLxsSJeeMraS
                    MD5:9A4833E33C52EA7AC65D1AC218129EB7
                    SHA1:8C754F63DBDAA1E77646945D492EB7357FD0DC65
                    SHA-256:27708869A35DF1E58A2D60A3B9359ED2FCD368FB1D0CDFFA56CEC1A84514CF06
                    SHA-512:64042D7A67F898118F12DD6C356F77FD997FCEDA37146ABC0344BAC2CB9BBE3E5DD53D7EC262730FAEF7810AB20F6A00F8EB53A0E491115F744EAD1D8A67B1DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...I..S...........!......................... ...............................`......z............................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.63452732601052
                    Encrypted:false
                    SSDEEP:192:L+mAssGdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rrjDxw:BAsxdnYPLxsSJeeMJw
                    MD5:242D9E3C049FFFACFF46B46A55CB7495
                    SHA1:1318879FB5ED9B79DFAA156B87B1FCE924CEAF24
                    SHA-256:D9761862F40A200EEFAA7AF6302582C71C903C777EEE543886134E39484298CF
                    SHA-512:0158FA3884A539B2E4C05FA75B5A01BE05DDD9CBDD9A257FF0332B4314AD27713958B262D7F20CE4D16EC3FFD75BC5C043B49C05229C06D363BD99DECB1B4982
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`......2............................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.64271032263772
                    Encrypted:false
                    SSDEEP:192:js7CvwCmLssGUnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rZGD:j/asxUnYPLxsSJeeMNw
                    MD5:27A3C33680AD0B84B3400D8E1A017D15
                    SHA1:962D64B35AF9F1E1FE8CB077D07CF4B70477A733
                    SHA-256:EF518F67B6E3850DB62645036DDE960C73F7F28E7FEC9BF50DF0ACC785EC180B
                    SHA-512:94CA46C2383998B9605734EB73824966955344F43B7F8DDCEB7892A117051A63B9E395404B641BCD339ECD2B3D67CB91E8FB1CE192714FFBD1D9C3EC9DD637DC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`...................................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.676524672651288
                    Encrypted:false
                    SSDEEP:192:OOSvyZ28s1rr8pTTWssGdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rVU:7o428sZr8pTisxdnYPLxsSJeeMi
                    MD5:E4CE50FE9413D82AF6B478DF5C3FDD57
                    SHA1:2C9D086DCD5A1DFC08C940266C862F651A02382C
                    SHA-256:9B0579852EEEA63EF733F477C88A80A2F5C1F2F561EC24FBFD0AD3CBDD3E4A32
                    SHA-512:D2B4B3D19FD2CF206144C2199976A5CB97DF6984A6F2145DC7EA6FFCAE6F327DC5C6372CE29883C34E7159BE38A0E363766A2D39882EA6A7FBC186928C98447A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...L..S...........!......................... ...............................`..................................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.652463516555734
                    Encrypted:false
                    SSDEEP:384:ne+Fa8ohq9LV9jNKFtsxfnYPLxsSJeeMr:ccxs5JI
                    MD5:1F6FCA8047806B1169D784BE9DC1B0B0
                    SHA1:56F0D551AB9FB40F024B7CAF2B552AE94393FB20
                    SHA-256:4527C695024B78BFD7C4253E1FB0671945968C8407A1B6B0263BE365BA131E7C
                    SHA-512:48FCBA28073A4C62D3B082D772866E7A6C1F34A556E1A100CBA04308BC96B646AFDBC134C3B1E6982E14EF63B851A5DD18AB6AE726C3C923EC3A1DCC72C765FA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`......U0.............................. ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.662516158151441
                    Encrypted:false
                    SSDEEP:384:ecDillJHGK9jAHKTIwlJBsxFnYPLxsSJeeMd:pq+Hs5JC
                    MD5:EEC106626DAC2468A171D838992FA792
                    SHA1:1D1D0962ABC439A9B2B963619EDAF723ED25C37B
                    SHA-256:725EA020CE928514C310B4B0B21F9D8A402B4B02C24A15FD91C2086A4045E682
                    SHA-512:9AD62E0B8A389D15C877A555CFFD771E42E6218525E108504F2BB66F58B60BDA609934C53E94A380F33E066C3141E3360BEF8092245167F38D1BE8A716018E21
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`...................................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.626993013295661
                    Encrypted:false
                    SSDEEP:192:Y7EIlassGTnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3reII:YQIMsxTnYPLxsSJeeM+
                    MD5:E2D86DA22BD6EE3BE559C0784277D52E
                    SHA1:EB7E5143F240E7BB51E8496DFB5F94B9F42C3E5D
                    SHA-256:C7E063188A37DC417FE2A1EE103DA75C49E3B8B70F200768348FC4B89983EF1D
                    SHA-512:7C6C01611F8826219B22D9F209A7E03B0CDB2F4E3D88694849B3EBCC4434BD1D7D1B4299D1228A184EB17FC8816047CBF32F09845853D0879DA9784801BB3BD5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...(..S...........!......................... ...............................`.......'.............................. ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.8641556166430915
                    Encrypted:false
                    SSDEEP:192:fH2tqJ+7czssGlnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rYkbSW5y:fHM7+sxlnYPLxsSJeeMB5y
                    MD5:899B99EEFD4E46B1BED174F0B511D6A0
                    SHA1:BABF42C1144F6688DB9058463DD842C4400C8EB4
                    SHA-256:304396E4E8EF80F948F0C4A77B5E09035BEAE7F04DC1BBCA7A0F5D3846EE907B
                    SHA-512:12D41F0E2E519C1A574DA2FDD3732062F40078D77AF8C2D1386781FA8F3EF752ADC230E5A27C3F5C3B97FC96EA4E1808AF2FF2E35FA38FC122F7D389E0E9672E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?..S...........!......................... ...............................`...................................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13280
                    Entropy (8bit):5.895128910115504
                    Encrypted:false
                    SSDEEP:192:7HssGSnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rKIC2FK:7HsxSnYPLxsSJeeMGEK
                    MD5:4FCEAD2A8CC9338581E2C7BF974B655D
                    SHA1:548932E9047D1AB193B2F41369A62F797C8AF7F9
                    SHA-256:6E92D69988D8FF28FBBFB369082735FF91710FC3D2B9EFD607498BE4F00922E2
                    SHA-512:D4F0D5B94E3A9C052902B28873DC4BB5E03B8BED979A2AA0FD112927441CFB94AA853B549D3A35BE2459FC804852AB565519CDD64E30B0A44A78251A6489BA3A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................P...................................... ..[............0.......................@....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\ActiveXControls\csprintdlg_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13280
                    Entropy (8bit):5.894034397817238
                    Encrypted:false
                    SSDEEP:192:ii4ssGtnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3r8cHWb:ii4sxtnYPLxsSJeeMQcE
                    MD5:B9E7194EF6AD4BFE87B958C338CAC408
                    SHA1:7F1CAE24F2343022785BC6CA204E57D1C9369B50
                    SHA-256:12124C3557D99A04550D40185DD01EFA8B2720751F5691AEFDFF2EB3EC7AECEF
                    SHA-512:D21874D713C9232D938A5620A5C66E92CF699D72AA506978D0ED77999E73011BA3510AD828B171CFE57FECEA432AD781216CCCB1E63CE37E171F139C94C8F9B6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...$..S...........!......................... ...............................P...................................... ..[............0.......................@....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (352), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17164
                    Entropy (8bit):5.446045250705496
                    Encrypted:false
                    SSDEEP:384:XcKoA1ikH3+PGFIsdzZ+hbpkHVH7p1cM5AvWQ0NcCZPDAd9:XR1RX+PFsd1+hbmHd7zAvWfNcCZkd9
                    MD5:C7F4D0D2B569BF8726166874280153D5
                    SHA1:4802A7857F24C59BB4606C5901692B29E8CBF392
                    SHA-256:BC3131FA4F8E6848197DEEBFCD5CC8533C593413586CC6BF4008D10B21A163B0
                    SHA-512:07DFF3BAC28A628554C4FE0A1621780DDD4C59F2FBDAE2500421026D9108BFDDD1F260F2E15F95527FF5E9478AF14EED77A29ADE5100CF17EE6530A67E9EDB6D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hlavn\u00ED sestava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "P\u0159echod na prvn\u00ED str\u00E1nku";..var L_bobj_crv_PrevPage = "P\u0159echod na p\u0159edchoz\u00ED str\u00E1nku";..var L_bobj_crv_NextPage = "P\u0159echod na dal\u0161\u00ED str\u00E1nku";..var L_bobj_crv_LastPage = "P\u0159echod na posledn\u00ED str\u00E1nku";..var L_bobj_crv_ParamPanel = "Panel parametr\u016F";..var L_bobj_crv_Parameters = "Parametry";..var L_bobj_crv_GroupTree = "Strom skupiny";..var L_bobj_crv_DrillUp = "Zav\u0159\u00EDt podrobn\u00E9 zobrazen\u00ED";..var L_bobj_crv_Refresh = "Obnovit sestavu";..var L_bobj_crv_Zoom = "P\u0159ibl\u00ED\u017Eit/odd\u00E1lit";..var L_bobj_crv_PageNav = "Navigace str\u00E1nky";..var L_bobj_crv_SelectPage = "P\u0159ej\u00EDt na str\u00E1nku";..var L_bobj_crv_SearchText = "Vyhledat text";..var L_bobj_crv_Export = "Exportovat tuto sestavu";..var L_bobj_crv_Pr

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_en.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (302), with CRLF line terminators
                    Category:dropped
                    Size (bytes):14256
                    Entropy (8bit):5.151821372716751
                    Encrypted:false
                    SSDEEP:384:vFtC7njZnd9Jv8Yc58hjDySwl3VCBU/vtP/0XGBLLiKW:W7jZjJxySEVCu/vl4KW
                    MD5:821E9C067FF27F97C048F3CEDFC259D0
                    SHA1:4CC613993B01BA735AEF9417E0AB33464FAD64C5
                    SHA-256:67EC73CDF2017624F696F70778483603966023BF185CDFE671274D8BC505F237
                    SHA-512:689832A690EC7704308094CF1698C708656568EEB76B5F0B8450826A3093E5A8BE66B199EBEE6846EB688F674365AFC6462562CFEB7C06D485D328A39223207A
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Main Report";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Go to First Page";..var L_bobj_crv_PrevPage = "Go to Previous Page";..var L_bobj_crv_NextPage = "Go to Next Page";..var L_bobj_crv_LastPage = "Go to Last Page";..var L_bobj_crv_ParamPanel = "Parameter Panel";..var L_bobj_crv_Parameters = "Parameters";..var L_bobj_crv_GroupTree = "Group Tree";..var L_bobj_crv_DrillUp = "Drill Up";..var L_bobj_crv_Refresh = "Refresh Report";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Page Navigation";..var L_bobj_crv_SelectPage = "Go to Page";..var L_bobj_crv_SearchText = "Search for text";..var L_bobj_crv_Export = "Export this report";..var L_bobj_crv_Print = "Print this report";..var L_bobj_crv_TabList = "Tab List";..var L_bobj_crv_Close = "Close";..var L_bobj_crv_Logo= "Business Objects Logo";..var L_bobj_crv_FileMenu = "File Menu";....var L_bobj_crv_File = "File";....var

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (351), with CRLF line terminators
                    Category:dropped
                    Size (bytes):16422
                    Entropy (8bit):5.221900380967974
                    Encrypted:false
                    SSDEEP:384:h2exe25G4e9lI1YwwBVaDBVIbVK4xP067okinDACBi4lmDBVcwBVSDsp:hPe2ke1YFjaDjIbVLlW8CBifDjBjesp
                    MD5:6D6E601C63FE0FC240A42500338A38E2
                    SHA1:C98513A9DD95897789212CD09810B7E60E55A7D4
                    SHA-256:FC5834E222CFE6E5BFD0EAAA5D411D3B5C4B1A43C7FF1453A3D4AB75F6F5F01F
                    SHA-512:EEDE4E4602FE85BA11332F6F08229AF7A17A347B185AD7C0B68E4A398B82F960285573713E0258DA5858DA228312265C686476F90A3C17F4D2C380914AD82EDC
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Rapport principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Aller \u00E0 la premi\u00E8re page";..var L_bobj_crv_PrevPage = "Aller \u00E0 la page pr\u00E9c\u00E9dente";..var L_bobj_crv_NextPage = "Aller \u00E0 la page suivante";..var L_bobj_crv_LastPage = "Aller \u00E0 la derni\u00E8re page";..var L_bobj_crv_ParamPanel = "Panneau des param\u00E8tres";..var L_bobj_crv_Parameters = "Param\u00E8tres";..var L_bobj_crv_GroupTree = "Arborescence des groupes";..var L_bobj_crv_DrillUp = "Explorer en arri\u00E8re";..var L_bobj_crv_Refresh = "Actualiser le rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigation dans les pages";..var L_bobj_crv_SelectPage = "Aller \u00E0 la page";..var L_bobj_crv_SearchText = "Rechercher le texte";..var L_bobj_crv_Export = "Exporter le rapport";..var L_bobj_crv_Print = "Imprimer le rapport";..var L_bobj_crv_TabList = "Liste des o

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (319), with CRLF line terminators
                    Category:dropped
                    Size (bytes):14884
                    Entropy (8bit):5.217502031367176
                    Encrypted:false
                    SSDEEP:384:+7vR0/pJ7E5lLvapDbE4u+9Wr6XTYTAeMJxoo0FP3Ewe2o3bMbGcBm:w+/P++9Wr6jYnMJ/0dd0rMtBm
                    MD5:AF7FC089EF18B38C352C5A7584D9CE97
                    SHA1:805D0093B9231A4464CFA22996A2427BADC72C53
                    SHA-256:66ED19E5B6A23E3A23E152A1A48113097C73DEDA4DE5CD637416EEBD4C586E6E
                    SHA-512:66358B4A8FAD534F9217D45313A14BAA6F3405C7E0C2120915F83E61D0FF2C690B7B7A5BC23C75B8ED20B264232F2748CADDBA49B084D6D1EC5E1FB78053F52E
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til neste side";..var L_bobj_crv_LastPage = "G\u00E5 til siste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametere";..var L_bobj_crv_GroupTree = "Gruppetre";..var L_bobj_crv_DrillUp = "Analyser opp";..var L_bobj_crv_Refresh = "Oppdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigering";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8k etter tekst";..var L_bobj_crv_Export = "Eksporter denne rapporten";..var L_bobj_crv_Print = "Skriv ut denne rapporten";..var L_bobj_crv_TabList = "Tab.liste";..var L_bobj_crv_Close = "Lukke";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj_crv_Fi

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (373), with CRLF line terminators
                    Category:dropped
                    Size (bytes):16095
                    Entropy (8bit):5.224090088223997
                    Encrypted:false
                    SSDEEP:384:wQnkDBzN+dt6UMgcE/sMU5YuEE3NFK/sek3O7j0JWSnWvF:/ng9At6Q/PU5vEE3NFK/sek3Ov0WvF
                    MD5:60546DF31FB80C3ECEE36F588C67DFE5
                    SHA1:9A3C0D45881D4180C13A786F87BA9DFBFD4E66F6
                    SHA-256:9DB255C3C311926668F645AFBC2E4953D2CBD9C02AF2333861F09F6C95BB2125
                    SHA-512:0C7BE82FD4590C896331C1F8A9A8AC488F719FEF463B6143BF48FB073EF2256C79CB4E8526E19DA80BC6E555A1EC0D807053C5F06B70740854BC23A14898AE9D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Relat\u00F3rio Principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ir para a Primeira P\u00E1gina";..var L_bobj_crv_PrevPage = "Ir para a P\u00E1gina Anterior";..var L_bobj_crv_NextPage = "Ir para a Pr\u00F3xima P\u00E1gina";..var L_bobj_crv_LastPage = "Ir para a \u00DAltima P\u00E1gina";..var L_bobj_crv_ParamPanel = "Painel de par\u00E2metros";..var L_bobj_crv_Parameters = "Par\u00E2metros";..var L_bobj_crv_GroupTree = "\u00C1rvore de Grupos";..var L_bobj_crv_DrillUp = "Pesquisar";..var L_bobj_crv_Refresh = "Atualizar Relat\u00F3rio";..var L_bobj_crv_Zoom = "Aplicar Zoom";..var L_bobj_crv_PageNav = "Navega\u00E7\u00E3o da p\u00E1gina";..var L_bobj_crv_SelectPage = "Ir para a P\u00E1gina";..var L_bobj_crv_SearchText = "Procurar texto";..var L_bobj_crv_Export = "Exportar este relat\u00F3rio";..var L_bobj_crv_Print = "Imprimir este relat\u00F3rio";..var L_bobj_crv_TabList = "L

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (349), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17003
                    Entropy (8bit):5.430365947357114
                    Encrypted:false
                    SSDEEP:384:AsxYAEiSPwicBZ0lQfMysL5mAPC0MjT1jTkQ+G1g:eAE/wjBZ0lAMyQ5m6E/1/Tt1g
                    MD5:C1E82FFE8EA555E07B884595EA0B74E9
                    SHA1:CB4BAC9F631C2F0380B75AEC11F6AF8A0972971B
                    SHA-256:9D363FB822AD7CB322778CCAC481145F2CDFC896DD8D1F7D370F94EA78FF3825
                    SHA-512:7AC6EBE78C3E083846693AEDC5221BF0AB6884B5975531ACBDA2287786BAFFE591E6CB4CA353C0842E93FDE620BB2C569D37B116DC0F5A44589A029D4FEEEF22
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\uFEFFHlavn\u00E1 zostava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Prejs\u0165 na prv\u00FA stranu";..var L_bobj_crv_PrevPage = "Prejs\u0165 na predch\u00E1dzaj\u00FAcu stranu";..var L_bobj_crv_NextPage = "Prejs\u0165 na nasleduj\u00FAcu stranu";..var L_bobj_crv_LastPage = "Prejs\u0165 na posledn\u00FA stranu";..var L_bobj_crv_ParamPanel = "Panel parametrov";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Strom skup\u00EDn";..var L_bobj_crv_DrillUp = "Prejs\u0165 na vy\u0161\u0161iu \u00FArove\u0148";..var L_bobj_crv_Refresh = "Obnovi\u0165 zostavu";..var L_bobj_crv_Zoom = "Lupa";..var L_bobj_crv_PageNav = "Navig\u00E1cia strany";..var L_bobj_crv_SelectPage = "Prejs\u0165 na stranu";..var L_bobj_crv_SearchText = "Vyh\u013Eada\u0165 text";..var L_bobj_crv_Export = "Exportova\u0165 t\u00FAto zostavu";..var L_bobj_crv_Print = "Tla\u010Di\u0165 t\u00FAto

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\allStrings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (1077), with CRLF line terminators
                    Category:dropped
                    Size (bytes):35492
                    Entropy (8bit):4.921648304142107
                    Encrypted:false
                    SSDEEP:768:YaKR2qxRgnyWxeMWP3WPJKXkTRgYHKh0kxPt4Pd4P9ki3:YaKR2qxRgnyWxeqKXcHi/kG
                    MD5:7896E27DA1049818A1EA1622D76B28B6
                    SHA1:F5AB501BC28D03DEFBEDCAA9BC83F302EC1CCF9B
                    SHA-256:FFD2141D3B81507C1AA45FE0A6DBA016B9D143BC83537673560E205357E7C7C7
                    SHA-512:2AACC4D764CF7B70D4B9027448A67D7333C6C9601C4861D04794F55166130485A31F691250231243AC890DC3A294BC7E97D92ABE2B6230DB11ACDFF31EAE7A2E
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0E23\u0E32\u0E22\u0E07\u0E32\u0E19\u0E2B\u0E25\u0E31\u0E01";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E41\u0E23\u0E01";..var L_bobj_crv_PrevPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E01\u0E48\u0E2D\u0E19";..var L_bobj_crv_NextPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E16\u0E31\u0E14\u0E44\u0E1B";..var L_bobj_crv_LastPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E2A\u0E38\u0E14\u0E17\u0E49\u0E32\u0E22";..var L_bobj_crv_ParamPanel = "\u0E1E\u0E32\u0E40\u0E19\u0E25\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_Parameters = "\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_GroupTree = "\u0E42\u0E04\u0E23\u0E07\u0E2A\u0E23\u0E49\u0E32\u0E07\u0E01\u0E25\u0E38\u0E48\u0E21";..var L_bobj_cr

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (352), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9177
                    Entropy (8bit):5.254155671733792
                    Encrypted:false
                    SSDEEP:192:XchUv6yPoA1UFkq+3+PGFIs5IGzZmsShbpdaHv7pHWOlBLjz1n:XcKoA1ikH3+PGFIsdzZ+hbpkHVH7p1n
                    MD5:0111ACEA48694E15F883155CE616F5F9
                    SHA1:0281E27CCA22D82E34C47D0E8B331AFD952B50D1
                    SHA-256:E44D367005EE4626A76C11F0BBD88B435894C49B121CADF73D914055A4D8AB2C
                    SHA-512:F1006DAADCABFC1FA41102BF01C8D83D4A8A29FDF0FE50BC71102CAE94C5CB4D2F0213071F670F91A6B90CEC1A39A14850D0720729121222AA614B4E7C2CB8F6
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hlavn\u00ED sestava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "P\u0159echod na prvn\u00ED str\u00E1nku";..var L_bobj_crv_PrevPage = "P\u0159echod na p\u0159edchoz\u00ED str\u00E1nku";..var L_bobj_crv_NextPage = "P\u0159echod na dal\u0161\u00ED str\u00E1nku";..var L_bobj_crv_LastPage = "P\u0159echod na posledn\u00ED str\u00E1nku";..var L_bobj_crv_ParamPanel = "Panel parametr\u016F";..var L_bobj_crv_Parameters = "Parametry";..var L_bobj_crv_GroupTree = "Strom skupiny";..var L_bobj_crv_DrillUp = "Zav\u0159\u00EDt podrobn\u00E9 zobrazen\u00ED";..var L_bobj_crv_Refresh = "Obnovit sestavu";..var L_bobj_crv_Zoom = "P\u0159ibl\u00ED\u017Eit/odd\u00E1lit";..var L_bobj_crv_PageNav = "Navigace str\u00E1nky";..var L_bobj_crv_SelectPage = "P\u0159ej\u00EDt na str\u00E1nku";..var L_bobj_crv_SearchText = "Vyhledat text";..var L_bobj_crv_Export = "Exportovat tuto sestavu";..var L_bobj_crv_Pr

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_en.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (302), with CRLF line terminators
                    Category:dropped
                    Size (bytes):7413
                    Entropy (8bit):5.039872098648652
                    Encrypted:false
                    SSDEEP:192:voqtC7pxjeQnd9Jv8YcJr8hjDCvSu+oLf3Uyn7:vFtC7njZnd9Jv8Yc58hjDySwX
                    MD5:621D2376C7C3976CE8022799D0D133CD
                    SHA1:852BB6EF208E5DAE6030CF5710CEC37932AF39E4
                    SHA-256:441EC37EA5456B6BD2F40C3EBDDE33820D73B4DB219D9AE0B72E3FBD8DE6557F
                    SHA-512:3BD44F98B999B11C899FAA5D61098A75F1CC5C98D24FA04D3FEBC1BCDAB97B6A35495669A014612841C94C3102541E5421D0E7571DDF3C2996DD68B090624D3D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Main Report";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Go to First Page";..var L_bobj_crv_PrevPage = "Go to Previous Page";..var L_bobj_crv_NextPage = "Go to Next Page";..var L_bobj_crv_LastPage = "Go to Last Page";..var L_bobj_crv_ParamPanel = "Parameter Panel";..var L_bobj_crv_Parameters = "Parameters";..var L_bobj_crv_GroupTree = "Group Tree";..var L_bobj_crv_DrillUp = "Drill Up";..var L_bobj_crv_Refresh = "Refresh Report";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Page Navigation";..var L_bobj_crv_SelectPage = "Go to Page";..var L_bobj_crv_SearchText = "Search for text";..var L_bobj_crv_Export = "Export this report";..var L_bobj_crv_Print = "Print this report";..var L_bobj_crv_TabList = "Tab List";..var L_bobj_crv_Close = "Close";..var L_bobj_crv_Logo= "Business Objects Logo";..var L_bobj_crv_FileMenu = "File Menu";....var L_bobj_crv_File = "File";....var

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_fi.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (385), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8616
                    Entropy (8bit):5.155199193844052
                    Encrypted:false
                    SSDEEP:192:UiC0LE+FghaY6m5ONPyUqH6VWCw4H6XS8/rJxpMWmHF:UizLE+Fg44MqH6VWCw06XS+rMHF
                    MD5:6BFAC9799EDDF166BB39E68999E2E460
                    SHA1:318727E84AD59F5142EAE60BD7113F2530F23587
                    SHA-256:A68A7FB0ABAD693B8F6C88F81368611E5CDEE5FE80D6E04550086AD8A30A2159
                    SHA-512:AF4162B34FD100D9382C04FA4BBDEAF66DECEC49697B05B9B7EB855A820B7BBF842837AB1FC99A31E6BD1408B859F80960667189B133D8D178ED2D05EE16F6CB
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "P\u00E4\u00E4raportti";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Siirry ensimm\u00E4iselle sivulle";..var L_bobj_crv_PrevPage = "Siirry edelliselle sivulle";..var L_bobj_crv_NextPage = "Siirry seuraavalle sivulle";..var L_bobj_crv_LastPage = "Siirry viimeiselle sivulle";..var L_bobj_crv_ParamPanel = "Parametripaneeli";..var L_bobj_crv_Parameters = "Parametrit";..var L_bobj_crv_GroupTree = "Ryhm\u00E4rakenne";..var L_bobj_crv_DrillUp = "Siirry yl\u00F6s";..var L_bobj_crv_Refresh = "P\u00E4ivit\u00E4 raportti";..var L_bobj_crv_Zoom = "Zoomaa";..var L_bobj_crv_PageNav = "Sivun selaaminen";..var L_bobj_crv_SelectPage = "Siirry sivulle";..var L_bobj_crv_SearchText = "Valitse teksti";..var L_bobj_crv_Export = "Vie t\u00E4m\u00E4 raportti";..var L_bobj_crv_Print = "Tulosta t\u00E4m\u00E4 raportti";..var L_bobj_crv_TabList = "V\u00E4lilehtiluettelo";..var L_bobj_crv_Close = "Sulje";.

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (351), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8652
                    Entropy (8bit):5.115023189868015
                    Encrypted:false
                    SSDEEP:192:h2CLDxYvwOe5GD0e9lIF3Y/4wBVaDBV/wbz1DrKaNw:h2exe25G4e9lI1YwwBVaDBVIbVK4w
                    MD5:50AE6C6DEF50A686C1FA3169DFA17640
                    SHA1:3EC0FC09A2505D7C121E1783E0C939C34B16E70F
                    SHA-256:6517643EF966D42AE9E1A74155EAF164D347971E386DFE8ADA79DB9B175D20AE
                    SHA-512:9E1CFFD29ACB738BCEA5A09158CD49746F7CC4C74CDF45B0C9FE129EFCBFDFE9EF4F6B18EA112F7482F9D30C7947DEB13B097ECA2392CE0D28B6F4488F30F76D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Rapport principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Aller \u00E0 la premi\u00E8re page";..var L_bobj_crv_PrevPage = "Aller \u00E0 la page pr\u00E9c\u00E9dente";..var L_bobj_crv_NextPage = "Aller \u00E0 la page suivante";..var L_bobj_crv_LastPage = "Aller \u00E0 la derni\u00E8re page";..var L_bobj_crv_ParamPanel = "Panneau des param\u00E8tres";..var L_bobj_crv_Parameters = "Param\u00E8tres";..var L_bobj_crv_GroupTree = "Arborescence des groupes";..var L_bobj_crv_DrillUp = "Explorer en arri\u00E8re";..var L_bobj_crv_Refresh = "Actualiser le rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigation dans les pages";..var L_bobj_crv_SelectPage = "Aller \u00E0 la page";..var L_bobj_crv_SearchText = "Rechercher le texte";..var L_bobj_crv_Export = "Exporter le rapport";..var L_bobj_crv_Print = "Imprimer le rapport";..var L_bobj_crv_TabList = "Liste des o

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (319), with CRLF line terminators
                    Category:dropped
                    Size (bytes):7703
                    Entropy (8bit):5.102177220270636
                    Encrypted:false
                    SSDEEP:192:+7ugRdtQHbDSSpJ7E5lLcZxmapDbHOD4Xe+9w+on9rgdX/sSYTf:+7vR0/pJ7E5lLvapDbE4u+9Wr6XTYTf
                    MD5:C48C296E39EE440CA3C7127061111CB8
                    SHA1:7B1DF510332B18826B33CCA072B7195D5569D06B
                    SHA-256:325161DD2324A06127DA272BDE6826E50A0AAA60E590F9820BD83E82643924B4
                    SHA-512:D9E346721C82251C2C18F47D94D3A16DE43A4074830F00E82F6C289E3DE78DEA47FDCCAE9348C4AE257F03035AEF4B46C444D752818CF39648C1E5561AD782B4
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til neste side";..var L_bobj_crv_LastPage = "G\u00E5 til siste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametere";..var L_bobj_crv_GroupTree = "Gruppetre";..var L_bobj_crv_DrillUp = "Analyser opp";..var L_bobj_crv_Refresh = "Oppdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigering";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8k etter tekst";..var L_bobj_crv_Export = "Eksporter denne rapporten";..var L_bobj_crv_Print = "Skriv ut denne rapporten";..var L_bobj_crv_TabList = "Tab.liste";..var L_bobj_crv_Close = "Lukke";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj_crv_Fi

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (373), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8559
                    Entropy (8bit):5.116137877008578
                    Encrypted:false
                    SSDEEP:96:W7ZoI9KV0ZBz2bicBHI1b157D7IQ/pk9Ev6E4gKCP88+mmkWnV3DcDuaDB9cPfst:wqRsNbaPcDBzE++dCI6mjjMgeYm9E/u
                    MD5:A0FB47B02F12600500331CF35E28053B
                    SHA1:A9D907630F6C067FEF0C11919D7917A5A23D1D89
                    SHA-256:FDA73A91E7039F8ABD5FC32F1B4B2B182DB9D3C24097FFAF48570167B1D60045
                    SHA-512:A9FFFCE058191671D4268820311C6AC75C9454719459F0A917A0FF976B8B903F79FE80AE3C8954B3C355F47B828624314C2BE24213CA230AF8F2FC72C3E1A0D5
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Relat\u00F3rio Principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ir para a Primeira P\u00E1gina";..var L_bobj_crv_PrevPage = "Ir para a P\u00E1gina Anterior";..var L_bobj_crv_NextPage = "Ir para a Pr\u00F3xima P\u00E1gina";..var L_bobj_crv_LastPage = "Ir para a \u00DAltima P\u00E1gina";..var L_bobj_crv_ParamPanel = "Painel de par\u00E2metros";..var L_bobj_crv_Parameters = "Par\u00E2metros";..var L_bobj_crv_GroupTree = "\u00C1rvore de Grupos";..var L_bobj_crv_DrillUp = "Pesquisar";..var L_bobj_crv_Refresh = "Atualizar Relat\u00F3rio";..var L_bobj_crv_Zoom = "Aplicar Zoom";..var L_bobj_crv_PageNav = "Navega\u00E7\u00E3o da p\u00E1gina";..var L_bobj_crv_SelectPage = "Ir para a P\u00E1gina";..var L_bobj_crv_SearchText = "Procurar texto";..var L_bobj_crv_Export = "Exportar este relat\u00F3rio";..var L_bobj_crv_Print = "Imprimir este relat\u00F3rio";..var L_bobj_crv_TabList = "L

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (349), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9076
                    Entropy (8bit):5.2591468705529785
                    Encrypted:false
                    SSDEEP:192:AnvFhAlxByovUMaf/4oiSPwftUzcBJB8I9sO0rPBo:AsxYAEiSPwicBZ0lo
                    MD5:5286FBBAF3C05A494DBC765605711059
                    SHA1:DCD5BF161A9E4968DE3E561E367DA7A4196DFAB8
                    SHA-256:1B4AA854B4928456B658E0A1D96547F84C0FDCE5EFDDC3705C793AD1B104548B
                    SHA-512:E226950BFE5B692A5DE68772A824CA8399F2E862485561E439347A32846EE6C752DE80430598CA932DCCF25F484523481D865CE39757412B179BDBA609DEA170
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\uFEFFHlavn\u00E1 zostava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Prejs\u0165 na prv\u00FA stranu";..var L_bobj_crv_PrevPage = "Prejs\u0165 na predch\u00E1dzaj\u00FAcu stranu";..var L_bobj_crv_NextPage = "Prejs\u0165 na nasleduj\u00FAcu stranu";..var L_bobj_crv_LastPage = "Prejs\u0165 na posledn\u00FA stranu";..var L_bobj_crv_ParamPanel = "Panel parametrov";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Strom skup\u00EDn";..var L_bobj_crv_DrillUp = "Prejs\u0165 na vy\u0161\u0161iu \u00FArove\u0148";..var L_bobj_crv_Refresh = "Obnovi\u0165 zostavu";..var L_bobj_crv_Zoom = "Lupa";..var L_bobj_crv_PageNav = "Navig\u00E1cia strany";..var L_bobj_crv_SelectPage = "Prejs\u0165 na stranu";..var L_bobj_crv_SearchText = "Vyh\u013Eada\u0165 text";..var L_bobj_crv_Export = "Exportova\u0165 t\u00FAto zostavu";..var L_bobj_crv_Print = "Tla\u010Di\u0165 t\u00FAto

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\crviewer\strings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1077), with CRLF line terminators
                    Category:dropped
                    Size (bytes):20391
                    Entropy (8bit):4.331804586698231
                    Encrypted:false
                    SSDEEP:384:437OKR2qxRgnGUE3GxBIMWP3WPEWXtKX9:YaKR2qxRgnyWxeMWP3WPJKX9
                    MD5:4589D7F673E3DAA9C94D7F0ACF3ED6B0
                    SHA1:D0D4CE3F5B2140104DEAE77877095BFADD0FC496
                    SHA-256:0F092591DD7F6AB2B623C271045CE674F33D26E80F8645AF1B8FAD824248D800
                    SHA-512:F4CBFC6AE66B3E8506E902F8AFAA5311CE6805A3221508D8E01F2EADF505BEF136EF2780D47BC6F6201DE80D6CB683224513DDECD0788445C867A5B4844021DA
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0E23\u0E32\u0E22\u0E07\u0E32\u0E19\u0E2B\u0E25\u0E31\u0E01";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E41\u0E23\u0E01";..var L_bobj_crv_PrevPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E01\u0E48\u0E2D\u0E19";..var L_bobj_crv_NextPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E16\u0E31\u0E14\u0E44\u0E1B";..var L_bobj_crv_LastPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E2A\u0E38\u0E14\u0E17\u0E49\u0E32\u0E22";..var L_bobj_crv_ParamPanel = "\u0E1E\u0E32\u0E40\u0E19\u0E25\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_Parameters = "\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_GroupTree = "\u0E42\u0E04\u0E23\u0E07\u0E2A\u0E23\u0E49\u0E32\u0E07\u0E01\u0E25\u0E38\u0E48\u0E21";..var L_bobj_cr

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\cs\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4701
                    Entropy (8bit):5.4486485530083115
                    Encrypted:false
                    SSDEEP:96:G9ZQE+1yTmKzQ/201amE5RsMh2qfpl0LJmvYPj2PtLr0/pWH6zw7QQ2Y:GTMIAAsMh170LeEK
                    MD5:FE9DF0FDAB43BD00C16EA76A89FCC644
                    SHA1:DD19AD6771B2CFE6CED4A9A4BAF328347E8C7657
                    SHA-256:ADD334F245DC39B1007E48A7D23D570F884418D449138FBCF969EC721603560D
                    SHA-512:B6568336E41978B1B96D78DEECEF2B83700FCABADC37D5F789B3AEBFBF2A3EAB9B71A0F86F6EE38E0EB497052AFC700FC3421C3B069034049FFFE3FDF2726D8E
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="V.choz.".._black=".ern.".._brown="Hn.d.".._oliveGreen="Olivov. zelen.".._darkGreen="Tmav. zelen.".._darkTeal="Tmav. .edozelen.".._navyBlue="N.mo.nick. modr.".._indigo="Indigov. mod.".._darkGray="Tmav. .ed.".._darkRed="Tmav. .erven.".._orange="Oran.ov.".._darkYellow="Tmav. .lut.".._green="Zelen.".._teal="Modrozelen.".._blue="Modr.".._blueGray="Modro.ed.".._mediumGray="St.edn. .ed.".._re

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\en\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4134
                    Entropy (8bit):5.189447850187486
                    Encrypted:false
                    SSDEEP:96:G9UW3A3wTNRLzPSquBVnV0zdpkuNPO8E5hQkv//nbmzr0wZ+ZYZ+ZKZrZZZ1ZkZc:Gy96qVCBpkaWph/S8wkaYchb7iaDz
                    MD5:5C84C268E58B11585660983042A4C9DB
                    SHA1:F0D94B185D4EE0EA941B543529312307C69B35D7
                    SHA-256:0F20629BA65283E0FA01AB9F8E94D0D31AF3313E3D29E39A55123DA710D172DE
                    SHA-512:8A675E7F092976D1A114FECD4D538C4E41D2D0B3E75ED9977150E5C7032C196B7A83D0B6D33920A8078AA87ABAA42C00A99FEE737B75FB26EE7A8D46D5C9DD49
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Default".._black="Black".._brown="Brown".._oliveGreen="Olive Green".._darkGreen="Dark Green".._darkTeal="Dark Teal".._navyBlue="Navy Blue".._indigo="Indigo".._darkGray="Dark Gray".._darkRed="Dark Red".._orange="Orange".._darkYellow="Dark Yellow".._green="Green".._teal="Teal".._blue="Blue".._blueGray="Blue Gray".._mediumGray="Medium Gray".._red="Red".._lightOrange="Light Orange".._lime="Lime".._seaGreen="Sea Green".._aqua="A

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\fi\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4596
                    Entropy (8bit):5.207455489028853
                    Encrypted:false
                    SSDEEP:96:G9SUxhMz3OEgzi/FERuIySe04NGraWpiNz/c5leNgdUDd5ubsXr0N3ocUN5z+sE/:GYmgFER9ySe04N11N45leNuUW4op
                    MD5:2D923A75C6E6134E0C021DB3386CA452
                    SHA1:94410459C3921154A2DD636BFFDE7AC54327B55B
                    SHA-256:46B58257D9236F837D395E5B421756BCF395873944B0F97EF0BDE8C63222E7E6
                    SHA-512:9C52A0324B4AA6BD7D693123C53B8E1B8B43DEEBF5CA11CC88B6A627466D43E3826795633C42F361E0455B6643F6855D1ABC7DC1BA3457FFC4C21C2C950BD8C2
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Oletus".._black="Musta".._brown="Ruskea".._oliveGreen="Oliivinvihre.".._darkGreen="Tummanvihre.".._darkTeal="Tumma sinivihre.".._navyBlue="Laivastonsininen".._indigo="Indigo".._darkGray="Tummanharmaa".._darkRed="Tummanpunainen".._orange="Oranssi".._darkYellow="Tummankeltainen".._green="Vihre.".._teal="Sinivihre.".._blue="Sininen".._blueGray="Siniharmaa".._mediumGray="Keskiharmaa".._red="Punainen".._lightOrange="Vaalean

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\fr\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4624
                    Entropy (8bit):5.240250287221391
                    Encrypted:false
                    SSDEEP:96:G9hV106734Jo/mRjcibS1yNMWzU/SlmAwW5cHrIGoL/Grr0DNsnZRUJ1whjB:GDP06734k1QnAomAwWOHrINKkW
                    MD5:C833053C7D0AC82290794584411E7FB6
                    SHA1:678C31FC1F8694CCACBF49901E2C3FFE701D5C14
                    SHA-256:9FD99F45ED02558090E943C4778186CEABF427EBE5ACD9115ED3011B2D242019
                    SHA-512:4FD3B183A9D170F2673DAAA27F41CAF01CEDC5022742D6A583002B017927307791D800F2379E8EDD14BF88193FFD2CABFC5B846565BBE652AA8C5183D745470A
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Par d.faut".._black="Noir".._brown="Marron".._oliveGreen="Vert olive".._darkGreen="Vert fonc.".._darkTeal="Bleu-vert fonc.".._navyBlue="Bleu marine".._indigo="Indigo".._darkGray="Gris fonc.".._darkRed="Rouge fonc.".._orange="Orange".._darkYellow="Jaune fonc.".._green="Vert".._teal="Bleu-vert".._blue="Bleu".._blueGray="Bleu-gris".._mediumGray="Gris moyen".._red="Rouge".._lightOrange="Orange clair".._lime="Citron vert".

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\nb\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4345
                    Entropy (8bit):5.242892691389963
                    Encrypted:false
                    SSDEEP:96:G9rEWTcaiLYmifkMJl/pOMT1m1RqDNz/r0M03XKQSz7hZ7f:Gl+MMMJl/o+m1AdA41
                    MD5:73E94CCCD2E188183F169A9813C490BB
                    SHA1:3289EE1B8A7E833D09CD95BD198D87BA9AB99612
                    SHA-256:78B1660302D8C3A7C739D386792280CEFA0EC810BC9CB3044C133964CCB3C061
                    SHA-512:3ABE10EE84BC8ACDCAF65909814956B81D9F2C68547A5C095B0A1D2B6D9B248A0F6D88538E39DB7803CEF430D585D3415E51D9F4C4FC88C7CDC1202B4C9AA726
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Svart".._brown="Brun".._oliveGreen="Olivengr.nn".._darkGreen="M.rkegr.nn".._darkTeal="M.rk bl.gr.nn".._navyBlue="Marinebl.".._indigo="Indigo".._darkGray="M.rk gr.".._darkRed="M.rker.d".._orange="Oransje".._darkYellow="M.rkegul".._green="Gr.nn".._teal="Bl.gr.nn".._blue="Bl.".._blueGray="Bl.gr.".._mediumGray="Mellomgr.".._red="R.d".._lightOrange="Lys oransje".._lime="Sitrusgr.nn".._seaG

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\pt\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4481
                    Entropy (8bit):5.235192750427726
                    Encrypted:false
                    SSDEEP:96:G9qEZ8nEszAyWViWYTj5zbwtn/EEEIRlCuK555WSdAr07EeCT0AOZF7ab5Z8BBZp:GA+xU5Pwtn/EEEslCrWGR7FK/Obelm3D
                    MD5:22EE8394DFBD0750456741338BA7D559
                    SHA1:4021C0811640AF1D85E836DFE383623246D7EE50
                    SHA-256:52C037109F18A52C2D5C4A960C7F0F2F3E417795AC3808ED617BD135E9DAAA77
                    SHA-512:D4B2277C8E3AB5995F07A7089BF80A2C0736DEC748FFA471392D3D01018083D339FE92EF413F3BEB3A975118F78AD8A078CDDB4BE361938F49B0FE8861CF6490
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Padr.o".._black="Preto".._brown="Marrom".._oliveGreen="Verde-oliva".._darkGreen="Verde Escuro".._darkTeal="Azul-petr.leo Escuro".._navyBlue="Azul-marinho".._indigo=".ndigo".._darkGray="Cinza Escuro".._darkRed="Vermelho Escuro".._orange="Laranja".._darkYellow="Amarelo Escuro".._green="Verde".._teal="Azul-petr.leo".._blue="Azul".._blueGray="Cinza Azulado".._mediumGray="Cinza M.dio".._red="Vermelho".._lightOrange="Laranja

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\sk\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4710
                    Entropy (8bit):5.409078907184024
                    Encrypted:false
                    SSDEEP:96:G9ojOaOWVoSgmU6dm93JrP8I+6ZpqppwHImfpJHyWXWmr0Gj1TTzZ+eKCTU:GCfM35P8I+x8I/z64
                    MD5:05C9047627B51F4F088DC336AFC9369B
                    SHA1:86FCC00A653407F90D0EFC9EEE881B8D857BA2DE
                    SHA-256:0604537386B4F87526B754DCC635FB14081CC60CF969807635DF8150420DAA44
                    SHA-512:D46F52181CE6F7EB073AE3A09487E547740FE25B34044F9A824E84B02A4AC4677C0E53FD98D05E840CB7D0814755F0978E14A15D42A254A6CC98F5FD53E4D66B
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Predvolen.".._black=".ierna".._brown="Hned.".._oliveGreen="Olivovozelen.".._darkGreen="Tmavozelen.".._darkTeal="Tmavosivozelen.".._navyBlue="N.morn.cka modr.".._indigo="Indigov.".._darkGray="Tmavosiv.".._darkRed="Tmavo.erven.".._orange="Oran.ov.".._darkYellow="Tmavo.lt.".._green="Zelen.".._teal="Sivozelen.".._blue="Modr.".._blueGray="Modrosiv.".._mediumGray="Stredne siv.".._red=".erven.".._lightOrang

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\dhtmllib\language\th\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):6855
                    Entropy (8bit):5.104520201568826
                    Encrypted:false
                    SSDEEP:192:GY2zTRngYmYuO1XKqZsMssqnJ0yhPsGQoInpY:92zTRngYHCy4hUI
                    MD5:2A87BC084AB70030F5691CD0F51EC3AE
                    SHA1:E7A40C4DBC3DC34C77A0AB260C14E78FEFC82C9B
                    SHA-256:BF65B962AC64E7166C5D08F72301138CB6A1EBD95DB202AB71F94FD5D3B9AB33
                    SHA-512:C333ACD585A538C5DD30115FB7AF6C3A27C6B4E219A15FC3477C2FB0F08271065A52D6FC9FE2B8A045F03682F006A89C57EEFC61D7ABA5F5D3C8F152CB18EFAC
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default=".......".._black="..".._brown="......".._oliveGreen="..........".._darkGreen=".........".._darkTeal="..................".._navyBlue="......".._indigo="....".._darkGray=".......".._darkRed=".......".._orange="...".._darkYellow="..........".._green=".

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (339), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3286
                    Entropy (8bit):5.028564212299118
                    Encrypted:false
                    SSDEEP:96:59ea8DXIinZEArS5qz0qzjlFxrL4EoY/rCZrcCKm+eKmsFhHFaUjAcFs5l2bXFWv:5gQ0Fnr6rCm8msDHjtWd9
                    MD5:BFF0D8D593803810EFFE761A037BACEF
                    SHA1:94C406DEBFA5020C4C1735A4F3BB160C3EAE8DB7
                    SHA-256:6183B0D0AFC19DD60F9040DC48D736B13EF152D9E3EF35EF00D7723442F9D439
                    SHA-512:B07EBB72C485A588D6385F6D5587D61209CD8C9CE085539340E7BC32B1F1ACCF539C005EFE24A103FF548D395013712E290791940C694A00B0930DD00C1416C3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Dnes";..var L_January = "Leden";..var L_February = "\u00DAnor";..var L_March = "B\u0159ezen";..var L_April = "Duben";..var L_May = "Kv\u011Bten";..var L_June = "\u010Cerven";..var L_July = "\u010Cervenec";..var L_August = "Srpen";..var L_September = "Z\u00E1\u0159\u00ED";..var L_October = "\u0158\u00EDjen";..var L_November = "Listopad";..var L_December = "Prosinec";..var L_Su = "Ne";..var L_Mo = "Po";..var L_Tu = "\u00DAt";..var L_We = "St";..var L_Th = "\u010Ct";..var L_Fr = "P\u00E1";..var L_Sa = "So";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "rrrr";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Tento parametr je typu \"\u010C\u00EDslo\" a m\u016F\u017Ee obsahovat pouze symbol

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_en.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2709
                    Entropy (8bit):4.825341805096183
                    Encrypted:false
                    SSDEEP:48:59eTPkkeU5qnAUW9AqHfAtAQESoxaUSA9a/AY8+9OW+9H1suTD5GIJaG27zhL1Us:59eTskeU5qnAUW9AqHfAtAQESoxaUSAa
                    MD5:2109357CCCFF42BACD778D637F42B284
                    SHA1:6B5FC093F2C2EA42C40E38F584AD82563BEAED89
                    SHA-256:B22BD8B1F5D7BCCB88D1A30BB0FB9F6C425BF3E5F0DE5B504817380E5EADFAB9
                    SHA-512:567DA5EC343DF860D5C176763B42AB66876230688F98D8D23435FDD6609FDFE5ACB2333B64C298ED58EFA39526D3A59D9AEC7677E471F52D6F1BF9BB5FDBE5ED
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Today";..var L_January = "January";..var L_February = "February";..var L_March = "March";..var L_April = "April";..var L_May = "May";..var L_June = "June";..var L_July = "July";..var L_August = "August";..var L_September = "September";..var L_October = "October";..var L_November = "November";..var L_December = "December";..var L_Su = "Su";..var L_Mo = "Mo";..var L_Tu = "Tu";..var L_We = "We";..var L_Th = "Th";..var L_Fr = "Fr";..var L_Sa = "Sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "This parameter is of type \"Number\" and can only contain a negative sign symbol, digits (\"0-9\"), digit grouping symbols or a decimal symbol

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (335), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3146
                    Entropy (8bit):4.903846359244872
                    Encrypted:false
                    SSDEEP:96:59el3pWu5anuhckqtGA1B1mxx/ywoEbDs4OWDs4ORXX9DBVdmwBVdkfYbeaJcRsR:5gN0A04c4mDBVcwBVQaSRCWsp
                    MD5:0E901C2B87E11BD77C3B26CA874973A6
                    SHA1:DC9C7A0D3CE866E77B35489E7B39A06112961762
                    SHA-256:6EE30B491C97DAFACFB7F3C95FA4DD2E93AFF70FA5095C6D09DE20138984A63C
                    SHA-512:2EB7700AAA6CAF3227ADC4CA172036E1094263738F0FCD70ADCBD7A66EB46BE53B89901F3CD1FF0DAC592205DEB82C56539AE293230D57C5802441641C6C8AD3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Aujourd\'hui";..var L_January = "Janvier";..var L_February = "F\u00E9vrier";..var L_March = "Mars";..var L_April = "Avril";..var L_May = "Mai";..var L_June = "Juin";..var L_July = "Juillet";..var L_August = "Ao\u00FBt";..var L_September = "Septembre";..var L_October = "Octobre";..var L_November = "Novembre";..var L_December = "D\u00E9cembre";..var L_Su = "di";..var L_Mo = "lu";..var L_Tu = "ma";..var L_We = "me";..var L_Th = "je";..var L_Fr = "ve";..var L_Sa = "sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "aaaa";..var L_MM = "mm";..var L_DD = "jj";..var L_BadNumber = "Un param\u00E8tre de type \"Nombre\" peut uniquement contenir un signe n\u00E9gatif, des chiffres (\"0-9\"), des symboles

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (318), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2836
                    Entropy (8bit):4.871582092503892
                    Encrypted:false
                    SSDEEP:48:59elPDDWU5anMEW9AqvfAdAk223x5UNc9a/AMX5iX5+r5v7qAz9xo3Az9bAFthca:59elLDWU5anMEW9AqvfAdAk223x5UNcF
                    MD5:9BF84B53AE3D997F1E31BAFC7FF659BD
                    SHA1:1B8D594ED9EAA6371E2721B55A8EAADF1EEA2716
                    SHA-256:66D9F03A90E2F876FAA2406C0E893DB07E3292D772028A66A86D32585C55410F
                    SHA-512:3B8CEB43C4C4271C4C9A228DB5A17C849A08FAC9AE7D194429DEA28D07AC88623D2D79E8FCCA4389C9BFCC77BFA1C30405CD077B171E415658872F75F3A7220D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "I dag";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "Mars";..var L_April = "April";..var L_May = "Mai";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "Desember";..var L_Su = "S\u00F8";..var L_Mo = "Ma";..var L_Tu = "Ti";..var L_We = "On";..var L_Th = "To";..var L_Fr = "Fr";..var L_Sa = "L\u00F8";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E5\u00E5\u00E5\u00E5";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Denne parameteren er av typen Nummer og kan bare inneholde et negativt tegnsymbol, sifre (0-9), grupperingssymboler

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (357), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3055
                    Entropy (8bit):4.889735900952581
                    Encrypted:false
                    SSDEEP:48:59eQP2HVq5rVnQI6bgqvAVMfsTxxQ0w9a/AygnfAZgnfAoVKYiVRL+O2CLMa5NM1:59eQuHVq55nQI6bgqvAVMfsTxxQ0woYv
                    MD5:72490117EE1A34F2BF323030A6BFCBB3
                    SHA1:0AEE826B95305E539A95C18C8A30600AADA109A1
                    SHA-256:F4ECF62D6252ADF5FDAEB2CD5507A2720594DE3A0E4C823435FC64C2CFB3DB42
                    SHA-512:68BE63AA1E5C435DB5BEDEB55CB6860520938D04B7558307A7542E18F848B17958750E10786C6ECE64182C01C8FF15F874E29977F94F572269F267C5E42C0D73
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Hoje";..var L_January = "Janeiro";..var L_February = "Fevereiro";..var L_March = "Mar\u00E7o";..var L_April = "Abril";..var L_May = "Maio";..var L_June = "Junho";..var L_July = "Julho";..var L_August = "Agosto";..var L_September = "Setembro";..var L_October = "Outubro";..var L_November = "Novembro";..var L_December = "Dezembro";..var L_Su = "Dom";..var L_Mo = "Seg";..var L_Tu = "Ter";..var L_We = "Qua";..var L_Th = "Qui";..var L_Fr = "Sex";..var L_Sa = "S\u00E1b";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "aaaa";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Esse par\u00E2metro \u00E9 do tipo \"N\u00FAmero\" e pode conter apenas um sinal negativo, d\u00EDgitos (\"0-9\"), s\u00EDm

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (336), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3217
                    Entropy (8bit):5.0684331267424545
                    Encrypted:false
                    SSDEEP:96:59eatF3Xjn6ZsHW9AqwfAtAzjYFxw14EoY3jTR/jTRoxsJ6RDNj2WsawcFpSCl2C:5g5mAPC0ZmjT1jTkQ+XW1g
                    MD5:5174060FE7C46329CCDCFA607EDC2CE8
                    SHA1:09AA7B366FE908C151C87E5D7FF464BFA6D9824C
                    SHA-256:E9F8E46039E266A7ED5F709A793D27C20F4E75FE85293E7C87B263B795878970
                    SHA-512:4E9237356BC9A2E5A3AB16177F9A7BE1634AA33704D1B04A676E4F3DBDF8021606DF2208227BF443E4E7BBAAEB3B9CA38BEB54B9B69BC12E8D981691FD1FDC84
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Dnes";..var L_January = "Janu\u00E1r";..var L_February = "Febru\u00E1r";..var L_March = "Marec";..var L_April = "Apr\u00EDl";..var L_May = "M\u00E1j";..var L_June = "J\u00FAn";..var L_July = "J\u00FAl";..var L_August = "August";..var L_September = "September";..var L_October = "Okt\u00F3ber";..var L_November = "November";..var L_December = "December";..var L_Su = "Ne";..var L_Mo = "Po";..var L_Tu = "Ut";..var L_We = "St";..var L_Th = "\u0160t";..var L_Fr = "Pi";..var L_Sa = "So";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "rrrr";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Tento parameter je typu \"\u010C\u00EDslo\" a m\u00F4\u017Ee obsahova\u0165 len z\u00E1porn\u00E9 znamienko

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\prompting\js\promptengine_strings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1064), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8246
                    Entropy (8bit):4.065689156043016
                    Encrypted:false
                    SSDEEP:96:59eE9oYHxP6ntq4zqxpjntKhcxwINAoYfMLkfX4sZLkfX4sNQi99WcOrW1zaNvWd:5gkxPLp4Pd4PkwaW1BJWiLb
                    MD5:22BBEE8850989496F628D22385BD63AB
                    SHA1:B9B0A6C3C969A81630B5D44D9418907E6F2D2561
                    SHA-256:4E548E97F282C3FBBF03FF9C8E4A51C6472A476FD71657CA323F572F8559EDE5
                    SHA-512:B58A61A19C52367BA09C3A62148D291B71712D486948DB44EEA9B7EE3676E7927B7AA88CD8902B31191347B45FD932C2A616F104C8D90E3558FC75EEFFD1F33B
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u0E27\u0E31\u0E19\u0E19\u0E35\u0E49";..var L_January = "\u0E21\u0E01\u0E23\u0E32\u0E04\u0E21";..var L_February = "\u0E01\u0E38\u0E21\u0E20\u0E32\u0E1E\u0E31\u0E19\u0E18\u0E4C";..var L_March = "\u0E21\u0E35\u0E19\u0E32\u0E04\u0E21";..var L_April = "\u0E40\u0E21\u0E29\u0E32\u0E22\u0E19";..var L_May = "\u0E1E\u0E24\u0E29\u0E20\u0E32\u0E04\u0E21";..var L_June = "\u0E21\u0E34\u0E16\u0E38\u0E19\u0E32\u0E22\u0E19";..var L_July = "\u0E01\u0E23\u0E01\u0E0E\u0E32\u0E04\u0E21";..var L_August = "\u0E2A\u0E34\u0E07\u0E2B\u0E32\u0E04\u0E21";..var L_September = "\u0E01\u0E31\u0E19\u0E22\u0E32\u0E22\u0E19";..var L_October = "\u0E15\u0E38\u0E25\u0E32\u0E04\u0E21";..var L_November = "\u0E1E\u0E24\u0E28\u0E08\u0E34\u0E01\u0E32\u0E22\u0E19";..var L_December = "\u0E18\u0E31\u0E19\u0E27\u0E32\u0E04\u0E21";..var L_

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\BCM-4-0.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):661928
                    Entropy (8bit):6.546613868406674
                    Encrypted:false
                    SSDEEP:12288:keTm7FOV1yr0gydi2SBfsxh19mI4xcMNMMUkb:keTm7O1yYgEiZk7t4JNqkb
                    MD5:A0AF37AB1BAE6B407607E0596A619C55
                    SHA1:07CD672CB31F1F99FD85E9EB593B3055F3187274
                    SHA-256:1CACC63FF0A33465C26AE55BD926656A3543751216FA17D97A63E74735299247
                    SHA-512:ED96192C94E80EB409F255E5BE65AB27CF214AA40C67BC3A92185252D7426E9A0F0A05AEA55888FF7A83B0FBB36C04F62694D646FCE53B9E71770C68B357A866
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V.......R...q...S...q...R......U...V..-...q.......q...D...q...W...q...W...q...W...RichV...........................PE..L...<..S.........."!.....0...........R.......@.......................................B..............................@e...(...W..P...............................P`.. B..............................8...@............@...............................text....(.......0.................. ..`.rdata..<N...@...P...@..............@..@.data...P...........................@....rsrc...............................@..@.reloc..@a.......p..................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\Crddt32.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):478096
                    Entropy (8bit):6.616019777229226
                    Encrypted:false
                    SSDEEP:12288:dbvfjAyNFgoLk70qQIMKvaS4eL/ZZutzRr:tz9fg7NirS4gCzt
                    MD5:BA134960A0CA6E5F639B843D10424524
                    SHA1:8EB2423F47EDFF4ACE2EC93E72E30623D9C62C89
                    SHA-256:6AF1D57303588666206FF47190A1E0769DC251007139B99E5AB474A2DF309D19
                    SHA-512:51D14A4B8A47BD4F053047F9FE6EB88C7F097FA3B99EF895250C6D2BDAB3B7769AED5A3CC06B64F3A51512D86A53E4944CB1BA996B7F0F7234AD381AF91D5F17
                    Malicious:false
                    Reputation:low
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................<...........J.......P....@..................................$..................................G........"...0..0M...........2..........Hj..................................................................................CODE.....;.......<.................. ..`DATA.........P.......@..............@...BSS..........p.......R...................idata...".......$...R..............@....edata..G............v..............@..P.reloc..Hj.......l...x..............@..P.rsrc...0M...0...N..................@..P.....................2..............@..P................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\P2soutlk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):436696
                    Entropy (8bit):6.1480846175821355
                    Encrypted:false
                    SSDEEP:6144:4PzKKWvr0n94cZEols3cyx8ofzrYJ3RYSp6cyDagsSDKF1+KyA:47KZrW94S/WzKYW1+nA
                    MD5:93EF6F2F6A5A6D055FA15980A14F0BE9
                    SHA1:639EAACC5E391A0B4868EB3273EE35E3EFC76CC9
                    SHA-256:1D27D8420397A0258F00B7BD0C33F528EB2145A6BE35661F46240F420B8DB562
                    SHA-512:0E0DEB0311D215026B8050CC9D07CAE9FFE43A6D498FED15C4C7106424C18C60B478F87077D1EDD947A530A6CF179D94FCFC33120069EAD9A11322729138C6A2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...Dl.Dl.Dl.....Dl.\K3.Dl.\K1.Dl.Dm.iEl...Dl....Dl...'Dl...Dl...Dl...Dl.Rich.Dl.........................PE..L......S...........!..............................f&.................................Z..............................p.......H........P.......................0..4A..`................................O..@.......................@....................text...l........................... ..`.rdata..............................@..@.data...dn.......@..................@....rsrc........P....... ..............@..@.reloc......0......................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):602000
                    Entropy (8bit):6.507201452694409
                    Encrypted:false
                    SSDEEP:12288:MZV18WXJXlS06WR6Q1lSdmqoPjGnZZr2poUxC8QdeJ:MZV18WXJXlV6WR6QLSqMUcjMJ
                    MD5:57FAEC25F6C75F4BDBC929651C7767B0
                    SHA1:EAC7869A92AB66E3FC42FF31E6522240C6B242ED
                    SHA-256:CF70DB8F200A7DDB0FB378CC0707AE5154A42992C655EA1F9CB953DA9207A1F9
                    SHA-512:05547F439E7E57DEA62FBFDAFF256449A11C60133057ED148588A012830F47733FFB38554E7BC4470F1D0B2474AC0923A675C40E3216012C7F2C0E75D24FA012
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Qt.H?'.H?'.H?'..A'.H?'..B'.H?'IG`'.H?'IGb'.H?'..D'.H?'.H>'.I?'..R'.H?'..Q'.H?'..E'.H?'..C'.H?'.H?'.H?'..G'.H?'Rich.H?'................PE..L...+.S...........!.....@...........@.......P.....?.........................`......h....................................................4......................Tu..PU..............................P...@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data... ........v..................@....rsrc....4.......6...H..............@..@.reloc..:............~..............@..B................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):104848
                    Entropy (8bit):4.855091012651709
                    Encrypted:false
                    SSDEEP:1536:M5RyxXcmjCY3atzGy1k8mXQmJpeUvvoySon45Jd:pcDGVGonmJd
                    MD5:9715530C44B867E5C2464AFA9C616562
                    SHA1:F79D0DFB498BD22C48E522429C51A880551BAAB4
                    SHA-256:624DE8FFF7F41992CC6E51CF182E64DDCC84993BC078BC8B235ECE5C30CCBE95
                    SHA-512:9E72EB83D7C7A666B1F735469BFE220E9F0525EBC9B44F2FD5653A0902ADB16B52931AA3306AEAEEB8459084B237E3709B90A9A603F6B22FA3030ACDCABB1BAF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...r.S...........!.........`............... ....@................................................................. ..`............0...7...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....7...0...@...0..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):104848
                    Entropy (8bit):4.859140684412662
                    Encrypted:false
                    SSDEEP:1536:GRyxXcmjCY3atzGy1k8mXQmJpeUvvoySo3MOAa6Ui++Um4toFI5Jzi:FcDGVGo3MOAa6N++Um4toFWJO
                    MD5:8BF27D1086804CA0E9A2DB05C3DF9146
                    SHA1:D0F2E362CD34057E4E8F00ADA2E1D5943DF3231A
                    SHA-256:28AEEBED14CD95883F77E449612F3C48DF8C4581205EEA506ED3F2A6781378FE
                    SHA-512:691EAF3B53A22C94A89DCE73CC09829B32727198158D93A671C974E0DC4632E9704B160E087E10A28999D7354694498FD95486FB91F81BEC99526272E54EE491
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...w.S...........!.........`............... ....@................................................................. ..`............0..49...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...49...0...@...0..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):104848
                    Entropy (8bit):4.844682044156445
                    Encrypted:false
                    SSDEEP:1536:2RyxXcmjCY3atzGy1k8mXQmJpeUvvoySozZuPew65JV:1cDGVGo4ewMJV
                    MD5:61E390781EE701BCADCA46755A989BFB
                    SHA1:E5AC35A000DE2DBA3EEF6B380E417AAF65C007C5
                    SHA-256:52359AC0E32B659C8046177B397FE3E9E102DB170678CC6D3566108B493F47B8
                    SHA-512:E688C3DFAAF7BD7359F6D557D981B3DC817C55E54D672BC9A9716305E08AD4E1EED6B485827FEC9ADDE7D61F1123957A84BA11FBC2D0B3455F91AF279740B08C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...c.S...........!.........`............... ....@................................................................. ..`............0...7...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....7...0...@...0..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):104848
                    Entropy (8bit):4.808854930862638
                    Encrypted:false
                    SSDEEP:1536:NRyxXcmjCY3atzGy1k8mXQmJpeUvvoySoRV2IT5Jfm:OcDGVGoRV2ItJu
                    MD5:1760442D2E8D41336AC26BE8DC076D60
                    SHA1:F417B181CB938A6F58CCBDB87541A683CB141A58
                    SHA-256:27C80850A0FD20792D1053E95D45D7EE161A79CAFC2CD589DEB430047385D25E
                    SHA-512:334F7B20B4D947213DD07EA9354E6DCF43BF4D2E855BE2891AD8E4D87197639C4122D9F143A2A0621F4F1DD32C66BFB9EAE9D8AF0F550BA537EC6F9695BEB57E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...G.S...........!.........`............... ....@.................................TZ.............................. ..`............0...;...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....;...0...@...0..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):104848
                    Entropy (8bit):4.816177833062708
                    Encrypted:false
                    SSDEEP:1536:SRyxXcmjCY3atzGy1k8mXQmJpeUvvoySoKpoV5Jmd3:pcDGVGoZzJm3
                    MD5:033B820E4FDF3CA9740A7F8AA473569B
                    SHA1:784475C221E99D0F9597039CDAFA06C39F057A7B
                    SHA-256:4A2995E7CD9062DFB717847E4004F91E70E46740C1CD497C6869D57393175436
                    SHA-512:FED29E1386DBDB018AF5702ED9EB452FCA4CA093F8DC2E453C5C87089C97A58BA958F47447E14EC4DE9A6E324924A3542FB9840077B08733C35C44E3FA17EAD7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...Z.S...........!.........`............... ....@................................................................. ..`............0...:...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....:...0...@...0..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ParameterDesigner_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):100752
                    Entropy (8bit):5.0068822925606815
                    Encrypted:false
                    SSDEEP:1536:JRyxXcmjCY3atzGy1k8mXQmJpeUvvoySojLO5JQ:icDGVGojLIJQ
                    MD5:C4E009F84E1ABECD29716EBD95F984AB
                    SHA1:7FB427819C826A1D39A11B2DD07856055FC80CFA
                    SHA-256:D9D039ED718EDF2CE095095A5305C15986525F6CC52D16AE4D1DD415AD96AE35
                    SHA-512:29C5D48FA4CB715CD4125E2B270567C947F5EF2B4A7ABBB63FBB7262985E0250A06AB5B1C5CF6A3D5B9718EBBAE5964FB351ED1B11A81FCC84749BD75BF598C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..Ye..Xe..~.u.Xe..RichYe..........PE..L...@.S...........!.........P............... ....@..........................p......P............................... ..`............0..$$...........p.......`....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...$$...0...0...0..............@..@.reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\XERCES21_LICENSE.txt

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2749
                    Entropy (8bit):5.16075964789641
                    Encrypted:false
                    SSDEEP:48:mOV/rYJ//rYJWrb/fstsua7+nP2lpL3Tx432sUWzsAp3m3EYz3tYT2l5i:zV/rYJ//rYJWXca7+OHjy35zsAp3w92t
                    MD5:C461E61D3C9547AF0F16A26169FE5477
                    SHA1:FC9A5CB50E0C0CE40FC5C8DF78E1E6380910B966
                    SHA-256:C141D323AB1CD4D1F9DD1BE58F4B303A2724083A48578675341D972081B3CDD3
                    SHA-512:7A2C1B18ACF891CE4EE437F01A62A6A263F14C5BF63247423FE2C835867FA9A758F416B4B6E13518ABE6AE3FFD667EA4735209A0CFCB3B433A57BDBAE8FED726
                    Malicious:false
                    Reputation:low
                    Preview:/*.. * The Apache Software License, Version 1.1.. *.. *.. * Copyright (c) 1999 The Apache Software Foundation. All rights .. * reserved... *.. * Redistribution and use in source and binary forms, with or without.. * modification, are permitted provided that the following conditions.. * are met:.. *.. * 1. Redistributions of source code must retain the above copyright.. * notice, this list of conditions and the following disclaimer. .. *.. * 2. Redistributions in binary form must reproduce the above copyright.. * notice, this list of conditions and the following disclaimer in.. * the documentation and/or other materials provided with the.. * distribution... *.. * 3. The end-user documentation included with the redistribution,.. * if any, must include the following acknowledgment: .. * "This product includes software developed by the.. * Apache Software Foundation (http://www.apache.org/).".. * Alternately, this acknowledgment may appear in the software i

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\Xalan-C_1_10.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1851392
                    Entropy (8bit):6.455809912287343
                    Encrypted:false
                    SSDEEP:12288:GuxmK4MmvnMCsrkqVOaeewkKk3s7VArX77gCtEHt8:Zxm3TnM1jVOdVknrX7Yt
                    MD5:1F43C86F42B3B08823479CB49AD9EC03
                    SHA1:912EDEA508D66AC3FC5AE0FDE1AE1E775FF5314C
                    SHA-256:D391D64D6A46E49ED5205EE2AD31CAAA4A5F601C5BAF89AD190FE8836D16CF83
                    SHA-512:27CBFD3087C25747D987CA08DF22ABD3D1FE10F53192AEB9967BE5DBE721F8A25E5B74842D86F426A297FF0C0AC1084569E308A8059BF049AED33122877D0638
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................>.....<.....<.......<......R.......<.............<......<.....<.....<......Rich....................PE..L...?..S...........!.........................................................@.......)...................................V..L...x............................ ......0...................................@............................................text............................... ..`.rdata..O...........................@..@.data...@....p.......p..............@....rsrc...............................@..@.reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\XalanMessages_1_10.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):41472
                    Entropy (8bit):3.512446093524542
                    Encrypted:false
                    SSDEEP:384:B9nDNq1IAhniC5MFnx/038Gbl8Sl6SVZFMdr66Mjy3:B9hq11xi/Fx88GbiSl6SDFyG0
                    MD5:715F9C321F1DAA9ED30E2726948D179C
                    SHA1:B2178AD8641E3C59121C21000DDD2C13812D14DA
                    SHA-256:F6D4F54CDF5F0477E303BB2DC33D37C560E60699BBDF49FAFFA56907B589522C
                    SHA-512:B09A9FFE051B7FCB5F936E6FF083E628C601BE312AC3BD468E4AE8FC81AF70F893DA7F4723FC023F7F7E547EA7DF3A24479CF83D26541032925829B90E03C920
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.U.F~..F~..F~.....F~.....F~.....F~.3I#..F~..F...F~.....F~.....F~.....F~.....F~.Rich.F~.........PE..L.....S...........!.........................0......................................................................P...,.......<.......|........................... 5.................................@...........$................................text...%........................... ..`.rdata..|i...0...j... ..............@..@.data...............................@....idata..............................@....rsrc...|...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.7992622498597
                    Encrypted:false
                    SSDEEP:192:1jjVuJaqVQBHZYE5nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrerYlia:RjVEQB5YqnYPLxsSJeeMDYP
                    MD5:AE4AFA572FDD29334C11D4EECBC74A6A
                    SHA1:5A8CC255184E814B73CD5050441B907EDE25D4A2
                    SHA-256:C5C6D2BC8EDAF533FB1280C7D20A368AA87F1E23B195E30FDCAEDCFFEA092DA2
                    SHA-512:E4AA8ADBB65B2905D2977D4C6CF7899A434EE0B22221D8A675FADBE7EED4E7B9B4FF1F85D0D2AFCD0624599E5CE0FFBF95372824A146C89A95AC09E68FA23A16
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P..................................... ..P............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtde.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.774318416239122
                    Encrypted:false
                    SSDEEP:192:NADVz5ZYEEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr1gWqZ:GDVHY/nYPLxsSJeeMIg
                    MD5:6EC4EBF7EA51076FDA2AE1E494F3699A
                    SHA1:25BABAA7374ECF09270310D0C1C78FA193302797
                    SHA-256:767D7168EA606BBBD1AAE39CA23AD8DCD96ACF61F0385006C7F2709A305B8743
                    SHA-512:249BCE196BF0CF8F2A6EB18B804305D8C723C60B0181D5DEEF5DA0E74169C0E2C59E91A237C446958E88192F707FB69E96EE693953F50D4FCE795C5BEF36F914
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...{.S...........!......................... .....).........................P.......*.............................. ..P............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.813371073284907
                    Encrypted:false
                    SSDEEP:192:sMFVWZYEYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrrvL8TCG5:HFVoYXnYPLxsSJeeMCvImA
                    MD5:5A921455E89C12709C0849F525B8F559
                    SHA1:5E8008971B383B34EDB7E26F11CE4F760C31947C
                    SHA-256:3C9A96058B94812D4A1D3B2D0D84969F99A3564AFFA0F60748CC265A75432E77
                    SHA-512:AD217EC3E02B041BCDABBA4AF6761A297DAEF59EC3BC6E00B4D11C3DAB8E017E99D0C97BB9ED3CB1D5691E9B62ABB7B08BC31190FFB6EA225C326E6B51EC2B01
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...u.S...........!......................... ....$*.........................P...................................... ..P............0..0....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.785129213941931
                    Encrypted:false
                    SSDEEP:192:reIjV0OSZYElcnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrSow0GY+i:qIjV0OMY5nYPLxsSJeeMnowW+i
                    MD5:3F76D45BFAE029CB3F2D50C2DB07F748
                    SHA1:288BABD3D6EB87C418EE8FBCFBB2E1D2CCD90A78
                    SHA-256:AEA414F771D46ADE8DE36141C0F91310B5E9FEF497AB8757FCDF7518D1FAB6E6
                    SHA-512:BCF09CBADAE39800F5BA3AFD30FDF4520D50B8839BD594211D87607126297AEF2A3823692340C390460941456DCA8A225FB0B75619155543E01ACACBDDA0D3C1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .... &.........................P......g............................... ..P............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.7719300246365455
                    Encrypted:false
                    SSDEEP:192:pJIoVBHZYEOnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr5VhBDk:jPVPYxnYPLxsSJeeM8B
                    MD5:B984E96AE7030F20582CFA18B6B149C8
                    SHA1:27F341B5220FB2C6031FDF9ABBDCA8BEA21248CC
                    SHA-256:DC451B2C0B14B9B9E3EB741A7966A72AF4666035981185B99990061C5F3F9589
                    SHA-512:F3764188E9284DC4D4AC6B0DD0C86230A3548DBAB13EA2EBAD890B1191EDED0367B22DE7AEB7CA71B337D860217681DB74943D603D6479A5908F1599543CE4DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....+.........................P......G............................... ..P............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.883145092381636
                    Encrypted:false
                    SSDEEP:192:T64VGZZYEYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrI1izBA:+4VGLYnnYPLxsSJeeMx1
                    MD5:8EDD68A784D35766B4672FEF5A4BDE80
                    SHA1:E60708FA325E8B9EB372D449799B9CDFFC14500C
                    SHA-256:67C6F5783687804AC6C8CC531C618CA1BE0DDC4AC05437E495870B27143F69F9
                    SHA-512:F7CF84D243EE28DAF6EBB9729F680B26B0AF54C2D63483F5E3FB313158A0FA43B7F1D205DB996928095D98DCB968BAA0249C6D8EC8EC42D46A904A3BA50FCA45
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..P............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\c2d6dtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12688
                    Entropy (8bit):5.822654682777909
                    Encrypted:false
                    SSDEEP:192:nqdVu5vZYExnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr6+Hx:qdVu5RYanYPLxsSJeeMz
                    MD5:B261442B170C39E950AD231401E34B9B
                    SHA1:6BD2AED52259003CCD7FE026A736B932E93D4E1C
                    SHA-256:1334C9A8E5EA9C8AEFE7E385B26C14319540B0BD0F3EAB7076163C284DCF499B
                    SHA-512:BACB52DB3AC4BEE2137FECA730E8AAA2CF274F8B4CF33205C6C1AAFB978734AD582A821789D961739F1293DBC2AB96BA3FBE3D660BDBC7A4F3E0F524D4C53DBC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....K+.........................P.......'.............................. ..P............0..0....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ccme_base.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1708032
                    Entropy (8bit):7.303628491630463
                    Encrypted:false
                    SSDEEP:24576:NzzhylfhkCWu1thEzq1CJDrwHb/IRTv78vvDujEQ4js:JYhHWGh+q1sKIRTD8v/t
                    MD5:5315417E8940B18B7AABB9538C7D332A
                    SHA1:04F149FB372E6581042AC2E30C8B88C7EF89EFB9
                    SHA-256:563CB20C3A25FF5C8D985E4CA3B8BA45CBD12B604B143BC75F53C96146B0EF7B
                    SHA-512:6F498C3EEAE3C8FF07A3C494F8AD22F5B1B4CD99F5CC56200CDD6DE3EF945668036DF0A6F1240E45AF4458DB9D26BBDEF7AE331A4EEC806FE8F958E2B81513F2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(d..F7..F7..F7.U=7..F7.U(7..F7f..7..F7..G7.F7.U;7.F7.U+7y.F7.U<7..F7.U:7..F7.U>7..F7Rich..F7........PE..L.....@H...........!................p........................................ ......z.......................................t...x....P..t....................`..........................................................l............................text...(........................... ..`.rdata.............................@..@.data....X.......P..................@..._RDATA..p....0....... ..............@..._DATA1..-....@.......0..............@....rsrc...t....P.......@..............@..@.reloc.......`.......P..............@..B................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84360
                    Entropy (8bit):5.398633206349337
                    Encrypted:false
                    SSDEEP:1536:DlPnUmOjfi0wdRcD/KP+uWxSzF4EYTqqa+Mt83BZK18rb5Jws:DlvlOjfRUS/XStGhBZK18rlJP
                    MD5:8AC329AAED7851C8382BDAED2E842EC4
                    SHA1:42889132CAC54F8C1F44FC1314D07431AFBCBCCA
                    SHA-256:B9EB31A2D48F52E8C1DC9BDEA987913F7288D2F285D742F5B1B4CE7ADCF3B2E3
                    SHA-512:E3EBB0BC29CBB24992E79DEFFF42E925190C25875783358A19046F18213C1D5DBA9C9AD933BC43C85AD25491FE04B8CCF2691D983F4CBBBF2EBAD87CCDBF091D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..........................`......C!...............................<..X....5..d....P...............0.......P..\....1...............................2..@............0...............................text............................... ..`.rdata..h....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......P.......*..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):86408
                    Entropy (8bit):5.383809041905698
                    Encrypted:false
                    SSDEEP:1536:AlQG7l88OjQRUwdRcD/KP+uWxSzF4EYTqWtmTmto5JW:AlQKlFOjQWUS/XStiATmt2JW
                    MD5:869C95EC34015E0875FEAEB8B06AC9D1
                    SHA1:D8998AAB7C19505D9D9F93E8EF266F0436AE4807
                    SHA-256:65F93336C8E690F5DAA98E837705E06E3F5C08F59DC581B2EBADC6E55C21FABE
                    SHA-512:6B1E55BA0F4E37AE4F6FED6CF269020D8DBB627E5EF177E3D6FECE63AB7DE710ECE36C3852AB672758308E82BFE0130395AB6A4FEF5D57F7186C5ABE1064F022
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...c.S...........!................q........0.....@.........................p.......................................<..X....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..h....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84872
                    Entropy (8bit):5.413100757393005
                    Encrypted:false
                    SSDEEP:1536:+lPnUCOjAqfwdRcD/KP+uWxSzF4EYTqeJvCCtjDazEPiEnR4KT1jB+tr7SMcrteV:+lvZOjA+US/XStCBCCtjDazEPiEnR4Ks
                    MD5:D8472BE350CBB61C3BE63365DA0A9EDD
                    SHA1:2713F15A4106C2CB2F19966BDB3E36DEC131AA52
                    SHA-256:7AEADC4091CC6F6C186D470BBEC205B0736119F9A8F71A4130D304174D176DFD
                    SHA-512:083563F745FD619B400EF68723115C2A03BAF3A2A170B3507735124DF5E12D9EE3612AC8F2E0136133E76604CADF698DB7420ADB2D5C291F586A99BB51B739A5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..........................p......`;...............................<..X....5..d....P..d............2.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..h....0......................@..@.data...@....@.......(..............@....rsrc...d....P.......*..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80264
                    Entropy (8bit):5.703595170860442
                    Encrypted:false
                    SSDEEP:1536:vlPnUxOj398wdRcD/KP+uWxSzF4EYTqhf5Jq:vlv6Oj3aUS/XStdBJq
                    MD5:0527D1D0F507F6B35295681C5929120C
                    SHA1:17865392BE8383353F89EF089B7B366F0AE5449F
                    SHA-256:BC4B76D3C6BD26A13793B6D1AE7CBEEB7B59DF6E1091A42DD18047578D574A6A
                    SHA-512:435AEC3888C3FE787FCF19820511F782BCD0ED6C4EB5E89851379B64E87B1A1E09DB97EA31BB0B477E3429E9FA0BDC3537A73C72F049E6D7A81FC4A651F48724
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...w.S...........!................q........0....@..........................P......H................................<..X....5..d....P............... .......@..\....1...............................2..@............0...............................text............................... ..`.rdata..h....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\clientdoc_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84360
                    Entropy (8bit):5.636767328610427
                    Encrypted:false
                    SSDEEP:1536:mlPnUYOjlFKwdRcD/KP+uWxSzF4EYTqAZ5Ju:mlv7OjlcUS/XStcvJu
                    MD5:F2AD44B2D043CFC99ED4C331B1A9380B
                    SHA1:D0AB680DD4E77A3E732153A87B995978DE15E5E3
                    SHA-256:D2755EDC65CFD1D920827979A9EBE1982F78B35F4F8171A8354907B96DE6107B
                    SHA-512:346C95EE271CE44406AE7C8F49008E190AFB1730DFEB1A74BA1DBCD8F6A7DA42581782FCEBEA81302D193B375016346A7DBD57DCC9FBAFC6EF073B6E60532318
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..........................`......{................................<..X....5..d....P..`............0.......P..\....1...............................2..@............0...............................text............................... ..`.rdata..h....0......................@..@.data...@....@.......(..............@....rsrc...`....P.......*..............@..@.reloc.......P.......*..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.224425466899324
                    Encrypted:false
                    SSDEEP:384:D8OXp2/6B49iCio9aM5Ojh6XOeTKnYPLxsSJeeMS:DlY/6W9iCio9amOjOOeWs5Jt
                    MD5:447AD6D1B0C740A8E1250DDAEDE427C3
                    SHA1:60F45332A738E1BEED78155F82799EAD6F028E2D
                    SHA-256:AE39F33ACD0EAF3614C17F9C6723F920D9CCD5DE7AD8228FBE8C889758EE4F2C
                    SHA-512:40CBC7A48D12DE62EC437D3B8427FDC3F83861F961109CE70F895B6BE605D8AE49357E9C76B8EBFF9374A7B90B0C0368A1D5692BC8AFE7F9F2960A935211A5DF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p...................................... <..^....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.224623335067866
                    Encrypted:false
                    SSDEEP:384:a8OXp2/6B49FCgo9aM5Ojh6+0TFnYPLxsSJeeMY2a:alY/6W9FCgo9amOjH0Zs5J8a
                    MD5:07696A067DDA9617EF6361E04AF1ACF3
                    SHA1:28DF26938B9FAD836C7BB03294BBF607881B4A53
                    SHA-256:E373F43B41E21F4E994D8C14FE5D4AD07CC97BDFDBE09F53CAFFCA663D27E1DA
                    SHA-512:2A62ACAF5767A4F8CB728EF5FA3F1D44C1B2112092FBE4F3409D126D7774646128B1ABE24C80394111185815CF62A772C63B7E34A3334ECF84B6A11D534CCB4B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...5.S...........!................q........0.....a.........................p......t............................... <..^....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.228028164981068
                    Encrypted:false
                    SSDEEP:384:z8OXp2/6B490Cko9aM5Ojh6xhTZnYPLxsSJeeMk+:zlY/6W90Cko9amOjEhts5Jy
                    MD5:38AD8BEA7B063A4C31DEF78ACCE6B8B5
                    SHA1:15D66A3DA3D55504F01289776A85482F97F1AA82
                    SHA-256:C3D7BEC8771DC5527B242DB17C5EE880C610F936D363CDDB72B331F51D2BF00E
                    SHA-512:516AC2542CDC3460F1F7F5E0B6B8B1B4F6E82E687C1DC76AD0C582D83FB97043C1CD022373B2AC0CA26632E5416878839D51F977D99C16ABEE635D637ECBE8D9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......"............................... <..^....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.226401899482181
                    Encrypted:false
                    SSDEEP:384:m8OXp2/6B49ACfo9aM5Ojh6t8TQnYPLxsSJeeMFr:mlY/6W9ACfo9amOjA8cs5Jur
                    MD5:2E9578A5621A27A6711973AE29FDDD76
                    SHA1:96C08926DB6F38B1F1DACDC059E35436211E057F
                    SHA-256:5909C28D288ED54F4823AA113BEFE997BF3A339918DB88876A284A04C4D82521
                    SHA-512:DAC82D003EEFE7593D66CD5B7EB7B105E2B2DBAEAA8DFF96939F037813D041D62A1EC6008D84891399DBD3396300ABE1ECB396735105044D374663DB2A0BFF12
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...@.S...........!................q........0.....a.........................p......'X.............................. <..^....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\commonobjmodel_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.224575127046697
                    Encrypted:false
                    SSDEEP:384:48OXp2/6B49FCDo9aM5Ojh6+ATqnYPLxsSJeeMH6b:4lY/6W9FCDo9amOjHAWs5JHb
                    MD5:6835BB1B9E7AA6A658C77154837081A5
                    SHA1:B1AEE8943C131E1ECE1BB3945E0D88CC41088CD7
                    SHA-256:D695122A2CA3CFCCDC4A460AD27CD202A9CAEEF2DD257911C855A2CB383C6334
                    SHA-512:9EBCBF13549E5CB1C54E6880FE23081A13C5BD98E2C61B98BD267FF89F1298CC08ED3D96982F6372123F5E6D3684120CAE2F38596E2CDFD8C4C5FDAD2C920E52
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...u.S...........!................q........0.....a.........................p......]............................... <..^....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):125312
                    Entropy (8bit):5.950911312578154
                    Encrypted:false
                    SSDEEP:1536:Z43MO/O/ZsIxGZxtae0tlxp577EqHvACB4rcyWknjOg0IY0hP4rTTzwtj5JA:VO/OSEl35fICGrYkjOg0IY0wTTUtdJA
                    MD5:8323123AAF8BC9F0402BB1C286D855DC
                    SHA1:3BDC9207620901B7FCA43C088F4F0060A218C371
                    SHA-256:DB9DC0B15BB21AC3EF78283B158F3CBC4AE15B4BB4D3CD74D825D233EBC1F968
                    SHA-512:33558ADC56095DCA853ADF1E13046C884D31A1B6815779762410D5714CB4E7761736282E208EAF472C552908EE493CE4F387ECCAA9EAC1563B615F253E95C277
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.l./.l./.l./pc./.l./pc./.l./$../.l./.../.l./.../.l./.../.l./.l./Ml./.../.l./.../.l./.../.l./.../.l./Rich.l./........PE..L...&.S...........!......................... .....$.................................................................a.......F..................................L...0#..............................01..@............ ...............................text............................... ..`.rdata...D... ...P... ..............@..@.data........p.......p..............@....rsrc............ ..................@..@.reloc...........0..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15744
                    Entropy (8bit):5.4679357712464824
                    Encrypted:false
                    SSDEEP:192:+PR2ernW9NBQZnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrtHW:wtWxQZnYPLxsSJeeMU2
                    MD5:5D4C4995D9B2B97A32DA8EA6A9D5A6B1
                    SHA1:911145040CC530E32E495FD7C75B0B928160E606
                    SHA-256:C79CEAF9CACC20E0391D7C40D4E091A05432DD0999064F985AE7CDFA34D92E86
                    SHA-512:3A149F6E058F903EBC5E27D12B965204D195E7BE3390AD792183396F77D11054B0F4666FC6748F52C065F00F61CC98C4D6B28F970E36FCF17F202F5BD0E6D024
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...g.S...........!......................... .....$.........................`......8u.............................. ..^............0...............$.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16256
                    Entropy (8bit):5.487661700294575
                    Encrypted:false
                    SSDEEP:192:Zka6Q5fsq9YmA/bIFpogy0NQ4/nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgr51zm:ZkfGsq9fA/8y0NQ4nYPLxsSJeeM4m
                    MD5:4934E406B6CC65BCF855A96AC7DD63A0
                    SHA1:40EE7F00D00C4E8ABE74F43F91FB73B97FCD645D
                    SHA-256:042B42495BB9C852ECC56308CB0279AAAE6BE1BD5E6550E7423C7CA8C6F135E9
                    SHA-512:4F89CC8188A60EBC7EC72EC103B5DC65A5CE6B5CCD0FF8DDBA8C5CA73E8F822BFB5FC4C006601F6ACBB935D6F86DD4E48CD405E2EC7E4A1C7940E6F3BE36F352
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...8.S...........!......... ............... .....$.........................`......r............................... ..^............0...............&.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16256
                    Entropy (8bit):5.503896388653988
                    Encrypted:false
                    SSDEEP:192:q5B7Q/UZsQonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrUNlcT:+MVQonYPLxsSJeeM94
                    MD5:710D66ACD062439FC95AF38B6244B949
                    SHA1:7FA31E480986AB83E992DC85D5C1DDF66E357136
                    SHA-256:DC50CF4275A2425718A5F5F78F29C8057F512881496A9D072B842569E4A83C56
                    SHA-512:CCF8476639BED241BF47240EDB6BAB855831D3BFA40A98FB6B7AFF84ECF8131AFE259F4515DEA9AA52FA67C602DF04BFD25A3A96D8BCF3A01C1E09340C6E84A8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...F.S...........!......... ............... .....$.........................`.......$.............................. ..^............0..$............&.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16256
                    Entropy (8bit):5.521051625256793
                    Encrypted:false
                    SSDEEP:192:PaeR3HK3M3OHhhBfnwio+3cQHnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgr/Kl:PaeR3fOHZ9v3cQHnYPLxsSJeeMTl
                    MD5:DC1A68695719A81C0D63C30F405D5884
                    SHA1:7DAA4C13AB4A53E33C9BB9F8EE616D03EA63E30B
                    SHA-256:136DD839F0428E1B14E39E95733089DE6F4F6AFDEAE97157937E6BCE920D822C
                    SHA-512:4B72159ACF833F5465EE924225F11B70587E805C426692715ECCBBEC535B8BA8F74B47AD54EA4F636A7B8CF4B62319C27D8D84E8B1010F0C1540FD4FB62072A5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...m.S...........!......... ............... .....$.........................`...................................... ..^............0...............&.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_FileSystem_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15744
                    Entropy (8bit):5.960150988608188
                    Encrypted:false
                    SSDEEP:192:kjeH/Bw2jqAf5A7uXQInYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgryy34E:bwI7ZQInYPLxsSJeeMFu
                    MD5:0E2797B3C3DEA26C21A8C6A95DC34DBD
                    SHA1:490809BAB5A48444ED0C3A3382961F986C441E4C
                    SHA-256:EDB2DA1194C4C6B67E76F01E4DB9D0BAB90834D37E73DE1972057246F8E6B266
                    SHA-512:7CCB30C6E33850B79E611E9EF22FB004D843B95B3CBF3D0EF109B2A669CE7DB10CDD9DBA8F7F0715E3AF8361EDC3955529C405DFE755721E04DB46DAD7F318E8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...a.S...........!......................... .....$.........................`.......>.............................. ..^............0..h............$.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...h....0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):498048
                    Entropy (8bit):6.329866451581706
                    Encrypted:false
                    SSDEEP:12288:YutTCkXdEvDNOXzcSPBq8RIcYj4f1cFWXiv2g7Uzo73Vq7:LtTCsdEvkjcUJIcm4fCsgQzo47
                    MD5:2AA40C84A190A0D0C9504B79239953DC
                    SHA1:CCB34177FBEA5E15243014B2448212D16A50C1B1
                    SHA-256:04225AEBA51F2B6FE79616B659F8C381C33FC673266D991061D1064338C3DC80
                    SHA-512:EA147B916599FA92BE83F7D1E7DA5BA7779C3B97A839563686F86DC583CA94F22188985E4F3FA5DE3D42E7A8C9FFD0FE70BFD1C852C6B733FBDF953464D8B2E0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'.}t.}t.}t&."t.}t&. t.}t.|t.}t.l.t.}trn.t.}t.l.t.}t.l.t.}t.l.t.}t.l.t.}t.l.t.}t.l.t.}tRich.}t................PE..L.....S...........!.....P... ...............`.....$................................................................P........j...........8.......................k...d..................................@............`..T............................text...ZC.......P.................. ..`.rdata...9...`...@...`..............@..@.data...............................@....rsrc....8.......@..................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23936
                    Entropy (8bit):5.06826145732062
                    Encrypted:false
                    SSDEEP:192:olPv0DDyj7pZvLuD725giUC0TJY3od7mndGUJYYXRKh8+j0VFx5XUy0Bk4+CXlpP:HCLeQ0T1pInYPLxsSJeeMtml
                    MD5:B25C9A647D9A2B2DDF71CC778B3397DA
                    SHA1:DC329D00BFD05F3F8A7EDE79701264718AE5F3C0
                    SHA-256:416228DAA980C9ECC361EBEA71538BB5E64A3B533ED418186BE488E77F7E0E7A
                    SHA-512:1B9F79968032C80F422D32ABAC74683A0C9B64D391A0F0557D71273A1263341835EF442C62959C352F29C9EF93F15ACB37D3CFA577D39AFD3BA1665723C0D5EB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...F.S...........!.........>............... .....$................................G............................... ..W............0...8...........D.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....8...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24448
                    Entropy (8bit):5.024573502543278
                    Encrypted:false
                    SSDEEP:384:N9t1EdEYuyK8eQ0T1pSsnYPLxsSJeeMxq:/EdEYuyK8p2kss5J/
                    MD5:3AC0619CB33302C3C60C7D8C372A7990
                    SHA1:1E1D09BBBFB4057A980649C8CF0A0870D1548D0C
                    SHA-256:7D0A79B4687BD4407B0F074FA083EA2478E033C10775AD6498F9C4B64BB99AB7
                    SHA-512:B633A0189160108734D6B4CD0C98066D16E8F711BC80B8039FABAFA9AF7D0F445EB3E24B16F3D8BD0D2246179FDFAD719B36BF3ADAAF4A11BFA0A1E0A6BF21CA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........@............... .....$.................................@.............................. ..W............0...;...........F.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....;...0...<..................@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23936
                    Entropy (8bit):5.032920172355983
                    Encrypted:false
                    SSDEEP:192:XJq8vICpToNJvvfoLVUrY1ub5giUC0TJY3od7mndGUJYYXRKh8+j0VFx5XUy0Bk/:X52UAYQbeQ0T1psnYPLxsSJeeM9jOpYF
                    MD5:A72F1AD3FAD00AA2D5F357B5334FFB65
                    SHA1:B59139E0BCFEB6E163304EBB77CAF6D4354ACF41
                    SHA-256:FAF5DB64656DA765D108C55C21C2F48400592B115CE7A8A6C01E4A8100459556
                    SHA-512:15CCAD2424BA92EC52D707B5ACCA6DE37A39B04200EA154BA824839CA596825BE55CF16D0662726F05248EE43B5C8EBEF099B440113634090ACBDDDB185EC368
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...=.S...........!.........>............... .....$.................................t.............................. ..W............0..h9...........D.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...h9...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23936
                    Entropy (8bit):4.998768500048064
                    Encrypted:false
                    SSDEEP:192:NcWvNTHiszn+GJS+vVTP3MW5giUC0TJY3od7mndGUJYYXRKh8+j0VFx5XUy0Bk4z:RG2oweQ0T1pOnYPLxsSJeeMgB
                    MD5:1C7A2C31225C4F55FEE2DD50EAB5243F
                    SHA1:A26F665E769BBF7D5F5588E4B0A39229587F03ED
                    SHA-256:A47D3B2B038E8952F7A1FA663167D076D315B63F8DB06C3E24C70882C2F5DC87
                    SHA-512:12CB40778A6EAD67E3C8BD9B358BC778FD65A5ED121DCC2308C96BE92C49D9209914E284001F2784D8B86B65682F13A4A19E7895640F0F645945DA801EA89ECC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...#.S...........!.........>............... .....$................................................................ ..W............0...:...........D.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....:...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22912
                    Entropy (8bit):5.341809930258548
                    Encrypted:false
                    SSDEEP:384:nx4ahsS1FSWOq7FeQ0T1p7nYPLxsSJeeMP6:2QsKRp2ts5JK6
                    MD5:F52B7D47C18C9D80F6E494DD7F2EC9A0
                    SHA1:3193DCC170A7375C168369787C8610F794D3AD5C
                    SHA-256:466547624A1A615264696AA266B60EF14A6512B8BD99233DADB323BFDA0048A7
                    SHA-512:4D927F073B2E9C3D9ACA0412D05F799AAC5417E5DA2E52EDE98172D56D3331F842B665584A89CD8D66C7B6E3444C9E506227EA0EDF382097B1B1DC60A80DC1B6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...,.S...........!.........:............... .....$.................................o.............................. ..W............0...4...........@.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....4...0...6..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24448
                    Entropy (8bit):5.095846730679163
                    Encrypted:false
                    SSDEEP:192:bANAZxMj18zkXvMaDq5giUC0TJY3od7mndGUJYYXRKh8+j0VFx5XUy0Bk4+CXlpu:bZ61OkhqeQ0T1p2nYPLxsSJeeMfUM
                    MD5:4A0815D740F42069B5F7F201983E9B37
                    SHA1:F03E09C760347E9149B3B963CB3DE094BEB7061C
                    SHA-256:ED55FB2DE7D58C29EF87139D71F3DDC0FCD6EC69F0DEB97A706F523AFE3FCC1F
                    SHA-512:2838C98F65CA02FDF60EFCA50E515A5BFAA05E7FBFA920E7F3A45B586E74AE61627102BDE6FDFBD71D65ABFA707D4B21EDDF72EC90FDE4D96760C04158546AD7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...K.S...........!.........@............... .....$................................J,.............................. ..W............0..4:...........F.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4:...0...<..................@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_ado_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22400
                    Entropy (8bit):5.29890668833447
                    Encrypted:false
                    SSDEEP:192:Kpl9mTAv8qj/f5giUC0TJY3od7mndGUJYYXRKh8+j0VFx5XUy0Bk4+CXlpYnYe+D:KsTqeQ0T1pYnYPLxsSJeeMXO
                    MD5:75474C945292A0EFABF329B2F8EF8551
                    SHA1:7132F420F1E578183F349C5DCFA7379B5A0CD9FA
                    SHA-256:5BFF3600F25E432C253E900E9373E8432D3F00AA59AECCB6C5C947451282A6EC
                    SHA-512:67B581976C2F66A10CAADD63CF275D5AF7EED70A62B6EE3C65A85B623EA3FACAC90BC10BED1597132E382B682C3595C024E4AC5A6076BD2D7EFA218BED356019
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........8............... .....$.................................R.............................. ..Z............0...2...........>.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....2...0...4..................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.942469821620909
                    Encrypted:false
                    SSDEEP:192:hWIkI4o+trznYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr/Nz:EFVnYPLxsSJeeMi
                    MD5:40D559267BFEA4B19CB3533F6FC0A606
                    SHA1:5A54602D27B16811DE7E2747DE60FEB944FE1560
                    SHA-256:9967BDE21D3EA2683AD3074EA90D6D786054E3DB289758471BE80A08528BEA21
                    SHA-512:6CFF8E72C91642C279CD7392144C00706AFB15E8A1B3EE6B51DC841E077B7F930E26A9D3782350CE1089416540C832E12A7B3857B4E62D0763E7251AB15DF9E5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......Yo.............................. ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.934884367467248
                    Encrypted:false
                    SSDEEP:192:lNBxf+o+trVnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr263t:/WFHnYPLxsSJeeMSt
                    MD5:349B9CEE4FC66336BBE7A33C5B2AAEFA
                    SHA1:7BA4F188106C6250425B671466B2E18F4C336C1B
                    SHA-256:A7A1CCF5AA9A4BE0CF336B3ADDDA26EFB95A25741FB895EEC0150B279BA32189
                    SHA-512:D98DF6E7E545CAA6DB9941C7960BFD2220AD825F67B9F540ECA5CEA462B8C9B6A1294999D42F990606F1764E474E9E91908BD9AF39B28ADDB3D30D9A9227E0D5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......@............................... ..[............0..T...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...T....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.88139071891915
                    Encrypted:false
                    SSDEEP:192:g4kHNjtdyOo+treonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArYNDXw/:fkPnFsonYPLxsSJeeMxc/
                    MD5:559BE81C25043645A2AB453ED2855B98
                    SHA1:8ACDE194174F539E594FA635E7B77F5C1B389935
                    SHA-256:1457299EBB771B7CBCC481CDC9073B6B358A3F9158840760D90E6E0C22627D06
                    SHA-512:EE1AFC0E040A4385C5E32820A766F9428B6151940737FDE3ECD93CD721E1CA7F7D49ABF4A7E7E830DD8F4121242D6AF8150150CF429733F2CAEEE6FD149D6973
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...T.S...........!......................... .....).........................P..................................... ..[............0..$...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.907163929574286
                    Encrypted:false
                    SSDEEP:192:qwBMo+trinYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArr9/mBQOgJ:MFQnYPLxsSJeeMeONK
                    MD5:8C98DBF3ABE1366D171F2867B31A1DF8
                    SHA1:CF52149BB596C2D7D3709B405444F174E2307BE2
                    SHA-256:49A332EC84AC34F797C73023DC0D20FB2C2261C325D12A861B404C0AB4E0FD59
                    SHA-512:CCDFDA0F4902DEEE9E6B085219913D62D6F4E73721FA68476DFF031B93C9BB9AFE1184C0743E8F573FE55B99FFDB01D74448198A555C6C49ED50C3522A8B66E1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...c.S...........!......................... .... *.........................P......V............................... ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.1067089718572864
                    Encrypted:false
                    SSDEEP:192:/Hgq6o+trVnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArJwONn1:4q6FXnYPLxsSJeeME7
                    MD5:DCBBB6290E3DAF01B1A53D305C31CF8A
                    SHA1:8374B0B607F4AB425EF259AD44E8588D44C70420
                    SHA-256:668BADC0FE1C4B88CED491D2BE6725D4D7AC2BFF48D29A3A2A9E274226E34EFD
                    SHA-512:DC9477294D7A74BCFE3D45228A525DD469D896ADE7776644E7107B15BDB32F8D3E84DC24C6E848A03541B605B8C43268CDCEDDA0967A43552A8527D19C7F3281
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...k.S...........!......................... ....j%.........................P......>............................... ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.896743393697259
                    Encrypted:false
                    SSDEEP:192:IBrZWbHB2o+tr6nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArkugjn:8oHoF0nYPLxsSJeeM9z
                    MD5:FCBF31FEF5BDEBAF4F383EC51F5A6DD1
                    SHA1:8B4374D5AA0FF38AF294C32A1432F74B24D48EA9
                    SHA-256:4285B1F4D9EA7DFBA2347CA695A5AD57B8BB9DE24A2DD51F1311458C5ECDB6FF
                    SHA-512:B79AF28D730D1D09872FFB8C23ADF9BA27386A0DC684A61289AFC3CDA8CC272F6B89D9FFC307D07464F1DE210E9BB5B6364A85941BD554113B551CC31400AA68
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...e.S...........!......................... ....=&.........................P.......r.............................. ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.922419200510289
                    Encrypted:false
                    SSDEEP:192:O9apMo+trMnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArptgrb:4FGnYPLxsSJeeMYt4
                    MD5:D490FB2E047620786C365E77AE27321B
                    SHA1:203C3EA63BD780CFFB70C2F9AF57466D228349FE
                    SHA-256:7A217F7909DE86522637FE3E832D1439D2B8BF0A61C64B02FF1E54F1E1C5DAEC
                    SHA-512:65AA266C309D1D8E97FA3CB778E6B5816BDDAAE48CB81435B5714472B17D87DCBB072B7B57ED093B7A86A03A02BD0B5D76F3C9FD54FD494F83799FA71C04E3D4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...v.S...........!......................... ....@..........................P......eA.............................. ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.0560134360697955
                    Encrypted:false
                    SSDEEP:192:FSyLEnMo+tr2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArFuXtHX:8EEMF4nYPLxsSJeeMf
                    MD5:0033B2C40FAB8580DBF862D6E185B360
                    SHA1:AFF9F7EEA10D84F5BE9420AAC56C367DA2D2E479
                    SHA-256:1B7D1664EE03E043A249A38F64472E84DB20C1930F592567A695BAC8BA3BD7FB
                    SHA-512:F43FD56DC18762BDE1E193AF915977E77608C4F7160359E64F7EDBC40C97129CBA94A61638D193C0E0630F16AD40B04D8D75ED1C0335C484CC54612F1B2D1D9E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......TU.............................. ..[............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.9465914712162675
                    Encrypted:false
                    SSDEEP:192:cHOq5gpo+trnnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAry7Ts:KbSpFRnYPLxsSJeeM6
                    MD5:E36ED4EC09C1DF1CAB11E0DFA610E507
                    SHA1:1E669CFEA36D61E97A629F12990FB81EAB875E9A
                    SHA-256:93F6ECDAAEE79257790B6E0AFC058FAE4A2D04F192150B23FDE207A4B25D18E2
                    SHA-512:A84953E9BF5D4230DC9E56EC62CB77C5062F75C58C5CE519FA0BC9C5EBA807956414E562DA68DEECCC9ADE45FB411FF67BD0B5D9CA5D14D03E577780496E0F1A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..[............0..\...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...\....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_adoplus_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.109879833223401
                    Encrypted:false
                    SSDEEP:192:hfWoo+trWnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAriyU:AoFwnYPLxsSJeeMN
                    MD5:90BDC181C86548486312FD885262FEC8
                    SHA1:35FDB2F75429029C7759945CC67FFF33D51B2497
                    SHA-256:1A42A3AC5ECECC48C65633630A6476E59958AA53DD322B72D71E6AC305C5D3B4
                    SHA-512:B8B7DB0A79D742593F6EA8EF1AE929605BC77DBCF792C73B0B566D0A8855427B6D8C6DD10564E506F2B46F4D2A329C391CD87F361A2511F8B74F454B53E73F2B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...n.S...........!......................... ....@..........................P...................................... ..^............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.0353635140442945
                    Encrypted:false
                    SSDEEP:192:5opvmnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r08HTu:IvmnYPLxsSJeeMcu
                    MD5:A16CA55CBBD02CA39AB8368782E61E40
                    SHA1:FF4F2A254C341DD887AB8A0B1168C295201804B1
                    SHA-256:50FAD7C110F5FB4C74C2226C6F63220D2E4DC3507A2CCB74E6EEF47C40022220
                    SHA-512:CBC572077D2DA82A069154636DD7993D52436D3BFB05A4A34B1A1D3E13E25538D4B3F907E4013F79A4B7A43F934E27CD635654797C9FBE7DE70C7741224BC666
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...y.S...........!......................... .....$.........................P......}............................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.063016188515648
                    Encrypted:false
                    SSDEEP:192:FvNnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rQc4z:FvNnYPLxsSJeeM3
                    MD5:3BDE7A41991E43153B06333AA8E47FEF
                    SHA1:7E0D5059D51F28DAF95DE76BC014C87C994F6337
                    SHA-256:06B00684D013945DA87E1D5A69C4DE4D590646408593795B9D4AF7533C0A76DF
                    SHA-512:45D2395420AA70D16EEDD28C38AEC9D8496DFB687E2DB2E2CE7AFFD0AD2360335E4AE6DD7383D272AFC3B19DDB69D886C96B30684603927AA5269F2FADEA6875
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...s.S...........!......................... .....$.........................P...................................... ..W............0..|....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.066288445387967
                    Encrypted:false
                    SSDEEP:192:X1wvQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rIlZ:mvQnYPLxsSJeeMlZ
                    MD5:48E58FC9DE50F433CAA06B1862930F56
                    SHA1:19EE37F929061373D81CBFBDBE0D5273AAF6423A
                    SHA-256:0F73EB0156031138824542BEE1D48CD9FADC700DC9FF7DE2BF7275DF6AC7E23C
                    SHA-512:AEA924E36535192BE68B702CAA070EEFC770B42EBCDFAD569FB1C4CD66BCF92978E658F740B16AF0F0F840CF21915EB0B77532689ED20FA58850857F7D330241
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P.......Z.............................. ..W............0..x....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.042286203492096
                    Encrypted:false
                    SSDEEP:192:bBKvMnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rVx0:AvMnYPLxsSJeeMT
                    MD5:9AB5F69F6E99F9AC8B1268D7DC2E7889
                    SHA1:30A30B39A0C9B2BDA46DC1E39FAB8EFF62440DF9
                    SHA-256:42D1E6776F183871A3BC8B8C8753C32796991BDFCA3BF81F804FB1B03D4ECEEE
                    SHA-512:BD30635884817A2804178471D53A43DB770E08D1D687DF55B17B7F468C714A00FF9D468CD34E925AA0CF3DFEC547472515CC4FD09D00B0A7D6B4493AFDCA3DC1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...u.S...........!......................... .....$.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.057255476272867
                    Encrypted:false
                    SSDEEP:192:OAYvknYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rCn2S:ivknYPLxsSJeeMCS
                    MD5:06F6105E1157CB87F4B8A611E1F81288
                    SHA1:73254A997C597CC4E798C9FB1B59B5DA8A96CE0D
                    SHA-256:D1ACCCFBB9AB2FC8BC3797BE9DAB65E587D29ED6E899D22177B5CDA413E9B2C8
                    SHA-512:98D91D90506DA6AE40CE67838935A6C608EEBE207BEEC7B914EAD96A53F99DEEF261216275C78A7F5D28F73DF405F1292EC126A7494731D3B1701D352871F827
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.146551971444539
                    Encrypted:false
                    SSDEEP:192:rzsWvdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rE54:cWvdnYPLxsSJeeMs
                    MD5:B6D35AA880542F51AB9B7483A030BDED
                    SHA1:361B414B65F01B4CA3FF0D9EA8C4CFE89DD5C091
                    SHA-256:25A50888B532767A9FAA45DECA931B908AF31A9DA33E5F0E46E1442B14137E75
                    SHA-512:5B65ED2ECD24AA507C889042C57D452DC213B7A2FA9BBF326689F1339F093A3E80DE58C882125566BEFF05661A51A1C773109A18E757E8CDE8203560F358DE95
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......x............................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.069692376994751
                    Encrypted:false
                    SSDEEP:192:+4W6TTVvTDvtnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rP61r:+4WOvtnYPLxsSJeeMOk
                    MD5:27AFA6D5468C68534F0B52519A2D47BC
                    SHA1:CFEDF2674DC467AD503F8CC5A042E75F6D285678
                    SHA-256:B5DD8DD7A25A20277479A4B0F2164447D18230A9B29C1ACBCC761C33E95BCB6F
                    SHA-512:BDD55F0D583F69B406D96884063E923715EA31A2DA74BAE4E9DB72600ABE8C37DF6EB32378201D5F1C4EE43AFBEC40D4A5C8DD6AFC1BCEBFE41ACEBA74CC5E57
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......2............................... ..W............0..p....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...p....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.043877146201794
                    Encrypted:false
                    SSDEEP:192:ddiWTv0AnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rnPvJxc:ddxvZnYPLxsSJeeMEvfc
                    MD5:5613BF03672333A5CD101DF22FD07126
                    SHA1:3A0436428358EEE47282D9076C145643505DB336
                    SHA-256:A45F0FF2279A78CC91B802FB3ECE7B7CCAD4107F698B7AE53B9AC98817D13997
                    SHA-512:6DA70C95E464F530FAD47735B28FBB54F0D6985DC0A7D6883DB0993BF0A2C6667AB3B543121EB2D48B472A077C2D9D307FA678B318290C58F2A40CE78E12EC8F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P.......!.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.0662044227775995
                    Encrypted:false
                    SSDEEP:192:HGvMDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r9/kcs:mvMDnYPLxsSJeeMas
                    MD5:AEB93D207E3A59704C6269AE91953E01
                    SHA1:8EA3985D2F515A9FD36619BC259A25372CA9F41C
                    SHA-256:E5C8E48C31913F5663C4DCEA2038735F789922E24AAD6B6ED2D7326F0DEB8AAF
                    SHA-512:B9618E63319A7EC92C13CB7C5623DC763FDD68707F827E9FF2BD8DBFB81A056F2760436D3B992381266FB81EDB23EDF32A06494F4AA8189139CBDEFD02456F46
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.05851052117593
                    Encrypted:false
                    SSDEEP:192:xRkevYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rfT8Bv:bvYnYPLxsSJeeMI4Bv
                    MD5:F53E39AFE43E38C4F72082A2D4D99302
                    SHA1:727E1CD028364C9962390F748812752B84EFD9D8
                    SHA-256:96639C301DF73E0366AD1985D8638D646415EC96517970BF1AD217D45DD35DEF
                    SHA-512:0DC6542B7523A54006974915514090D3C07442378C22A2DA0F0C5AA0147264AE0580AFCDCBD7B6112E23A5CB1EEE34ED83F91230F3EEBC7AEF9154F75C4A3863
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......e............................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_cdo_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.146546422750023
                    Encrypted:false
                    SSDEEP:192:G8vojnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rOY8n6q9:G8vcnYPLxsSJeeM0s
                    MD5:8164874CB62C68EA7A88F185A8AA66D4
                    SHA1:F5AF5CFD260EB5C42408F74B9024039DDC5CEF20
                    SHA-256:5A9268BADA2343AB21814167CA04BE8B702BEC9142946EF95506F02C94EC0971
                    SHA-512:7F3F39B3E48B46443CF20423CA3046A9940E2AD9AB737D8D001C3A3B362A954C277F88BDFFEE7F6B645B8CAFE6B35ABCA05D6225BF6AC31C46E86D60CC1C2112
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P...................................... ..Z............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.940602411019768
                    Encrypted:false
                    SSDEEP:192:198oLkLqE7nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrj86SS:19Hkd7nYPLxsSJeeM4
                    MD5:6038CF26D9D911C54985845768945D2D
                    SHA1:5F0D45AD44A0403258E11391A3107480713B5FAC
                    SHA-256:E9D320F9D968C4EFA8BF315F7D1F5D6E5095482367CF1F03F2CEE4B2333C43E5
                    SHA-512:0964DAB19711E05B6FE9A8521A00F2AE813D5DDA12A353372694EDB4298059A03F06A3F6F939AA40BEF7167F7EB61EAAFDF904F3ECE5B25300C8BBFDE40C917C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....(.........................P......iw.............................. ..W............0..,....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.977452292635063
                    Encrypted:false
                    SSDEEP:192:TcApxLqrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrLzgbS:TppxCnYPLxsSJeeMysm
                    MD5:678CDE5A9C49B1A2EF2586ADD2D5CCBB
                    SHA1:EF435459649078EEFF7FECB49675DCB6FD803A35
                    SHA-256:8300EAF3572B65ED874304F811B8F1989F4B26655557ED2641DF06E718ECB8E8
                    SHA-512:B9858526C68A77E9918713339555C7EAE6C6832AE8AB0231A210FF5C0AC7235FDAB1ECE7C9FCD4119D51E2CB05661B806A251A49FE7752376A34A34385E49B0B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......I.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.06603943873118
                    Encrypted:false
                    SSDEEP:192:pby3oQBF1LqrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrSfMI2DO:yoQP1mnYPLxsSJeeM2DO
                    MD5:A418F452C7AF5910DFC1845109710FC8
                    SHA1:D0A72C7ACAE9B9068517B383A2A9FC98C0B4CC8B
                    SHA-256:C70542DFA0EE914DD70164877F01B5FCD653DE5F50EC7F90B08A1DD316E56196
                    SHA-512:40A09AEAC9502091CFDA30F4E2F2FDD4F23316EDE037B4867065A5D4CECE9568028337EDF26A806D223E31E83C541C125E92FB29BA1140E7399453345F5A2F48
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......L.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.961340904550103
                    Encrypted:false
                    SSDEEP:192:qBUFtZswA6LqhnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr56g1:6U6F6snYPLxsSJeeM
                    MD5:DC0F59BF38EF8536720FB3DD68D9ECC3
                    SHA1:284178124CF6B46A002644ACFA8648BA5EAFF4ED
                    SHA-256:835535E3F0812FA10B9475ACFC15F5FFCC14CB5621C26E7BA4764E3E7EE89ADA
                    SHA-512:047A3BC1FF171A65737667FD2CB42BCE631600B52906B47D9AC2F1B2C1E4AF12BC8972F4AF1D2AB4FE409E537933823E3CB3484E985B45CE65902EB0C105881B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....%.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.979271797412456
                    Encrypted:false
                    SSDEEP:192:iD+LqFnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr2uPGJ:iiUnYPLxsSJeeMhr
                    MD5:BB5511B5A0F750473014EF7EAD8402B3
                    SHA1:36CFD406749CD5CEF932AAD12556D97FBF1AB4BC
                    SHA-256:C56F4797CAAE1A06E7572A6A3158B079CCB0CDDCFFA05894230817E962BAFD88
                    SHA-512:1AEB87E6767B8175DB528169E0F9E036C468E278FD9EB4C800AC66E759413272AA029BD1287A77BA16A9BDE0206E24E381807E98095922B0D6950085B2C72EF1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......"2.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.977266559134057
                    Encrypted:false
                    SSDEEP:192:7uAtjLqinYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrEhVN:7LvnYPLxsSJeeMB
                    MD5:C2D78785F82F6EF0A25746E8361BA474
                    SHA1:753C3FD9EA362E6600A9EAEDB57FDED9C9DCD5F3
                    SHA-256:E69DF9A52A5683D77F0CC50AFFB4681D7F1EAE0D6800C178E78E4EA5E68CC094
                    SHA-512:E0F6083B71E16455F0A965BB49DB03D169C25C7CB433E0354C1AC7B78B518CDC78435E02F9B0D0A5ABE4222107891BDC1044A856ACC20DB4039E75A399AFBE39
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.98731669854356
                    Encrypted:false
                    SSDEEP:192:8iWLqRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr+Z9:8iW8nYPLxsSJeeMbP
                    MD5:119CB6D35124833BCC9D83B1C024AFC7
                    SHA1:E992BE75E3BE4AA243C6E234A8DC48510DEAA906
                    SHA-256:1E19B42B89C8214897E26B4C2E181524891B9409F085BDBB28FD9069CCD9FD51
                    SHA-512:736692501D4D3C02F35A7A35937293454EF852F77FD445C8DC8486EB68E568991CFE9F261F8221168005321894F659ADF55D38DB4900D75B8E3A424BC285594C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......a{.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.094243852552396
                    Encrypted:false
                    SSDEEP:192:1ccTLqrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrDwwV:1ccTCnYPLxsSJeeMly
                    MD5:51DAB3CF101D7C5E838808440A099C82
                    SHA1:23C316014B834313069A9B661FD2CBABF43AE294
                    SHA-256:7598BDFA3C150CCC3A700EA8FE5D8A85F31BB289CDFB71EAACF296A6EF8FBA85
                    SHA-512:891666537EC15FFAE6CA95A7351049759C13C7A85FB3988126E4CBF65D81D6B0AF1E7AB19E9C04686522EF4EC8EBB4E41315DA4EA0A50AAD7E635AD8823E4A50
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..Z............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_com_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11152
                    Entropy (8bit):6.093150057137258
                    Encrypted:false
                    SSDEEP:192:ERweLqWrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr/QC98K:ERbnrnYPLxsSJeeMuQC
                    MD5:D6567FD016208343B904A30561BFA5F5
                    SHA1:36F3DC6C4FD440D5E193103FA96C098F95E8621D
                    SHA-256:DA19ABE0A83CEF421B33FAAB4573DA86D641F951E13917E7C327D729AA26DF52
                    SHA-512:33070E208FE939D730E36CCC870777C3C56E3D88BA729842B5939B61CEF6553BB3BE87C6F05E98B7FBDEF52AFD8E5CCE017AB353952FEDE15404D4847AF08C11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P..................................... ..Z............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):235896
                    Entropy (8bit):6.102907148820861
                    Encrypted:false
                    SSDEEP:6144:FjsvaUQgxWpftU+fuGC+m+2UOjkGjmnnUOR:FovaUgplfuGC+1rBnnUOR
                    MD5:2CF9044BBE475BF1B18D17584AC2E64F
                    SHA1:3ECAA992EAE21E2001DBBF7767E57230CC0C4C1F
                    SHA-256:40D8028DDEC45AF7EAFA55BADBEF898CE80BDA1DFAFDEF8360D9051D6B94B477
                    SHA-512:C2280AB3BB50323D6A58EA30721874C2490DBF27A7FBE463A16AE1FADB3894ACCD883F6ECEA8C1F7F80971C04DD9AC0952146C0A52BC0B37406ADF6F8676DBB2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=SE.S.E.S.E.S.....D.S.....O.S...-.F.S.b.>.K.S.b...B.S.b.(.B.S.E.R.F.S.b.=.`.S.b.).D.S.b./.D.S.b.+.D.S.RichE.S.........PE..L...$.S...........!.....P... ......hA.......`.....$................................R.......................................l............#..............x....0.../..pc..............................h...@............`..H............................text....A.......P.................. ..`.rdata......`.......`..............@..@.data...0...........................@....rsrc....#.......0..................@..@.reloc..FC...0...P...0..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18296
                    Entropy (8bit):5.33217376902583
                    Encrypted:false
                    SSDEEP:192:cAxw+Z1wYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwBinYe+PjPBr7ahPO/d3N:cAxTBinYPLxsSJeeMUS43
                    MD5:3ED5F00A9484C7EC30419CB115D6D98F
                    SHA1:05671B3598CB304BD89E837FDDAAF42CE256AA04
                    SHA-256:26BD2EEF83C7515516D8EFC163A9E66F9CE78286BB6742012B939E787BC4A628
                    SHA-512:8E98825241710E21FCABD30142C2DADCB393E1AAE464A1A9FB4F619C67E39FBCCEDCA012FC69DC8C42851950FA152C691ACF7EF3D2FBBC34A8016CF991DED5E5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........(............... .....$.........................p......v0.............................. ..W............0...#..............x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....#...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.367230589528742
                    Encrypted:false
                    SSDEEP:192:eM7Bgw+FiFZkAawYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwB3nYe+PjPBr7h:eMFgFB3nYPLxsSJeeMff6
                    MD5:5EB8F5BF485C75E821119876E6C55053
                    SHA1:C697E43BCC6988CA3DA54B0EE513BE01BF32C8BC
                    SHA-256:B52A984A6FD4DA1B321BA8521E86A7EA5FF465194D88FE715810DCC18F4F7F72
                    SHA-512:BCC660FEB001AA7913792BF119745192C4B1BE376C222F3F0000A518F8D43A8351A35FE13B7482AF97DC5B95B8E8EB16ED3D97B52FB705CAF2F7A8021146CEE5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... .....$.........................p.......j.............................. ..W............0..8$...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8$...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.347480055623137
                    Encrypted:false
                    SSDEEP:192:vWG0wwcoPwYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwB7nYe+PjPBr7ahPO/y:vWG0PrbB7nYPLxsSJeeM7/vN
                    MD5:F2D56937765D1B2B09C2778DE8154027
                    SHA1:EA30D2B6D7B7A6BFFDDD266329E757BF43FE924B
                    SHA-256:A08FBF9A4636F2F71A1C363E1EC92ED198B17EB42D0EF7386AAC74E04E4ABED4
                    SHA-512:31FB47B0212B0B6CE771EE9825D39147A442010375C4CEF244312DD0C58A83C4FC31C2053CE765225231D533B59C48741EC11F00661043F45A5DA448A7D883C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... .....$.........................p..................................... ..W............0...$...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....$...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.371927333012872
                    Encrypted:false
                    SSDEEP:192:5HywEu8FA5lBwYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwBynYe+PjPBr7ah3:5HyyZl5BynYPLxsSJeeMD
                    MD5:15BC052C88BE368CA720F846F0523E40
                    SHA1:AD4BC6239809E746D5D18300E64C5A5EDCD3BF79
                    SHA-256:DDC457BCA4253D03C92DC1431C7C6E830A026574B67D62EA6C134F8B4AB858E5
                    SHA-512:A288A1BA0B4CD31925374FDB1669566BAEED380C9A6377920AEE7C3F95F978ED7C7D5515C337297B69779C62509B0325831A4C0CA65055CEDCC71EDFBF377B58
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... .....$.........................p......r............................... ..W............0..d$...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...d$...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18296
                    Entropy (8bit):5.327561588407929
                    Encrypted:false
                    SSDEEP:192:E9vwCWKF6KgIwYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwBj3nYe+PjPBr7au:E9vJWKxBj3nYPLxsSJeeMXc
                    MD5:3B101364471DC2ACEAD02304C7B5BBBB
                    SHA1:851905423D41B7FCC6D2109EFB64D712C35DC634
                    SHA-256:2370E3227DF802F095ACD280D57381A07807EE9BD67229CB75914A8F5785814B
                    SHA-512:360B099A2B116C2C3BFC0883EE6086C6A37872286EDF803B8257FCF34442AA7084160C70F32A620EF2CFD13AC44AA95A872E8916E2126E90F7542CB7DFA66F19
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........(............... .....$.........................p.......b.............................. ..W............0...#..............x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....#...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dao_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17784
                    Entropy (8bit):5.418350792848489
                    Encrypted:false
                    SSDEEP:192:fnZqwPkmRwYXudxQzRdQUT3nREhi4VkVFx5XUy0Bw4+CXwBJnYe+PjPBr7ahPO/P:fnZqupBJnYPLxsSJeeMIb
                    MD5:CE6BF8D7CBE20A92146DE850614A38E7
                    SHA1:A85C6B598AD1ADA3BF1E30101891B4DCAC18B49A
                    SHA-256:46AFB3A0609C147BE01945D2EA6D28BF93C21AA5A7BE63E236A583E8BEE880C3
                    SHA-512:F8A4C755FAA556E020E88C843DFEE1580FF18DE2EF63BE2554A271ECF1419A2158C80842E695B8A335C4AC4EED4605E45EF927AF208E091ACDE95358F7934752
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........&............... .....$.........................p......_............................... ..Z............0...!...........,..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....!...0..."..................@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.964931188844561
                    Encrypted:false
                    SSDEEP:192:CY8/Hft7QCqnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorbgX/+K:CDlZqnYPLxsSJeeMpH
                    MD5:D3434D4B63216E885E461A080BB39A7E
                    SHA1:5F757ABE1D0D012FA7A901DE316FF00D2875FBA1
                    SHA-256:552549AF640F6393F0D4FFA414E65A4530BB7A4B6D269D811D6355C9211D08DA
                    SHA-512:8424E734C3914854E1C1D20C3960C71111B02B5513625973878672683BBCADF46C9BC3C2A3EC529256CE88CA6F804C1D912855027F6D1DEFEBD2EF8E00DCCFCD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....&.........................P...................................... ..[............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.870949148071845
                    Encrypted:false
                    SSDEEP:192:bHfwQCenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMor3Z92:8ZenYPLxsSJeeMG+
                    MD5:3E7008E4442B61795B0CF4EE8AC53252
                    SHA1:40FEA7155D62F931A29EF6604045D12D64360432
                    SHA-256:7AB12BAAB26708495E8E179756C33EAF60AE55E76BC6CE13D91221643D5067BB
                    SHA-512:8E424D37C0206334DD6623E992966861324C8F516A80AFB6A2D94BFCFB9CF0510CBB6ABFDEFB0DA6D898DCB0D3321B87A80514536E56AAB23CD2C3DD10C98D6D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....U&.........................P......'Z.............................. ..[............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.951329496017959
                    Encrypted:false
                    SSDEEP:192:byfcQCEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoroykfVwvDp:/ZEnYPLxsSJeeMzTfVq
                    MD5:3C75F552EAE89100E7A4909EBF815011
                    SHA1:51EC4618D37A1413212691262D31E03BBDF19869
                    SHA-256:8FCDCE2222D5F9FAC1E13513DEEE4EC0491301E39424EF491F283D72949B6B82
                    SHA-512:8B0CBB5E732225EE569DE4365E0FE3E7FCBC29BA458BA821040F1468BD67C814FBA26470DF97E65E0D85C40759D28155000D434437C5E7FE8CD000F646F02E0F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......5/.............................. ..[............0..D....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...D....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.860844616804257
                    Encrypted:false
                    SSDEEP:192:0ycfRQCgnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoruDFi+r:SZgnYPLxsSJeeMuI
                    MD5:0853133BC4989E4E11B76D7799582A9B
                    SHA1:E252F7A80BD1B058A678F9D739B2CDDB52AB1A43
                    SHA-256:AF2E4CE1AAEDFEC708CBC139087221E960D705B1E592750CA1B3ED6FCDCE8171
                    SHA-512:02E0F295B06BBB390593177E17D144963A9E8B43020F58AEC09DB137C7DDB5E099EE8D3D22B3CEC5D40E1206140A7AEA04A04858D4332619EB03F7E937457D39
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....'.........................P.......8.............................. ..[............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11656
                    Entropy (8bit):6.160344473941325
                    Encrypted:false
                    SSDEEP:192:P/YDwx+5DiKrcfhQCHnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMor5k81kv:P/cwx+PEZHnYPLxsSJeeMcz2
                    MD5:A2C3EC46F707668D88F1310DFCBC6C8A
                    SHA1:AA254A1BE4F0456C7F7D72D29F18204DB226B219
                    SHA-256:D6005915DCF479FA472DBC9AB0ABCFA65FB2A10883118A564986C38BC81D9212
                    SHA-512:B3FA073056904E5BAEBF182D9186D3BF20D99334A28E0442E596AAACF7ECA734875FFC76311CE74564F0EFDFFC874C21AA8B25B6B1089F530114F4A6BBC5127A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...*.S...........!......................... ....m'.........................P...................................... ..[............0..0....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12680
                    Entropy (8bit):5.965355195618139
                    Encrypted:false
                    SSDEEP:192:m0sOsnWRvfEQCcnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoraf8OtS:dsOs8UZcnYPLxsSJeeMFS
                    MD5:8DAD5B2302AC7686ABF5AE88F5420597
                    SHA1:A8C7F0D485F03C6C6C84E87ED31117F0CD82028F
                    SHA-256:D590E7299BFA5B76839F95B07C8DA9F445A4511AD2E259C3BDA8032D4E500D3F
                    SHA-512:BF56C01A1E7DC939CB2CBC9FFFD32DE8BA45620FB08CDF9E45C54BFD33D73DC782D0D59E4EBE2196A7E7AD478EEFCF4C20B9A391B494559D322C1FA24A8037D7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...r.S...........!......................... ....@..........................P...................................... ..[............0.. ....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.923843739950429
                    Encrypted:false
                    SSDEEP:192:usMxfpQCinYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoraNfO:VMnZinYPLxsSJeeMnO
                    MD5:688F16990A0C7A4356027765FFBD7AC7
                    SHA1:61CAAF939290F1CBC85AD2E99C70420AB67290EF
                    SHA-256:128ABC25F39D5E83A038382C565452E086AD349C45CFCAC359CFA3CD15019C4C
                    SHA-512:6617DF2FE5D7627BA22B90BCA4570326A655E650158D27E5634ED1EAD941E42A5E5667428DDBB4311F7153EDFB3809FC7947B27E1634139B168C1CF6446AEB7D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...Y.S...........!......................... .....*.........................P.......#.............................. ..[............0..L....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.922297896775957
                    Encrypted:false
                    SSDEEP:192:VrnifLMQChnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorq7QEbdH:VrzZhnYPLxsSJeeMBPp
                    MD5:20990FAEF4CF09CFCD6278D5B08D1750
                    SHA1:B162AEB23D6AA84E623E7A49D8A7A681506AE1EB
                    SHA-256:BF11880E214D7C483F48F3BE1263CF88BAA46F0AD07C7DBEBD4D1FAE45E44B75
                    SHA-512:A92036EB5EF67DCCAF0CDF1BD191DD18AC3DB5CCBC15AA39CB4411900FE2CA8F8CDE2AAA68E1F496A51C1EF01CA6192109E8957EE5E1573BDF26C5B1C6F10FFB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......$.............................. ..[............0..|....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dataset_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12168
                    Entropy (8bit):5.897258239349004
                    Encrypted:false
                    SSDEEP:192:AKMkZAzSggAfjQCpnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoroHt5:OZpnYPLxsSJeeMdHj
                    MD5:407F4FC4D7028282B541ED7990B9E847
                    SHA1:AE3B1B5CE426C4CA73078C07CA6D6891BE4D1072
                    SHA-256:A6EADC48E752AD829C8A24A97139244C880982435C59DBBD242213652FA7699A
                    SHA-512:BA170DF3D2A23202B932FE4BB5DE937F67EEC650118548CDD8A992D63D32CB252ADEBEC7DB18959FB82960A43E6B4FCEEF898E05CB5F9EEE0FBEBDDE14D1AABD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...J.S...........!......................... ....U*.........................P.......p.............................. ..[............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):310648
                    Entropy (8bit):6.380017475576453
                    Encrypted:false
                    SSDEEP:6144:pLMJcvDXkkxAnjyo+Cng/0hgdFkODNgdOEJfk:pLacrXnxOyCn+0G8OEJfk
                    MD5:87B77CF1B609860F57F63759C2C8D9C7
                    SHA1:C7C277AF2ECE28CC3FAE87EF12A602839EBE81A2
                    SHA-256:E3065E3579D14D9DBABAC1B8F6389593216DBD1634DD3ADD77D6882BC8EE9B57
                    SHA-512:41E0F147B9EC66E2AEC5A51A2E6AA4D99A1B2FC5264AEDDA639AA93DF06F206842E94E7C881C6C33772DD90C5D0305861E91C7636AA3682FBC5792234CA91AE3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...pG..p...pG..p...p{.p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...pRich...p........................PE..L.....S...........!.........................0.....$................................SK...............................<......4........`..\...............x........@...4..................................@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......2..............@....rsrc...\....`.......<..............@..@.reloc...T.......T...P..............@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.535507375991826
                    Encrypted:false
                    SSDEEP:192:9h90Clj4G0csUXUu/qKnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArwB:9h9z0XUXUunnYPLxsSJeeMJ
                    MD5:9A340ED3AFCDF17F58B463A5D59CF415
                    SHA1:E8E7D2A1E3A5B0292B46C63E05FD4838DB149631
                    SHA-256:6C39B39F4AC0B6F063B40505D100F8C72DE883356A73FA3A813B25033E83B80C
                    SHA-512:8489217B1611C17549DB67CE74507FB8B1D92ABC7F62DEA4F41300B553B0274C687AFC8CD3CE243C7AA906BD9BA5FDD53909ABF6EFA30BD9FD5FFB0C3AAD0687
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....%.........................`......O............................... ..Z............0..x............ ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.546452966011361
                    Encrypted:false
                    SSDEEP:192:/ABWB74/kiC+D4Uu/qZnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArztMOp:/kWkD4UuwnYPLxsSJeeMChp
                    MD5:19747D1567DE306271B91A5BD467FF0D
                    SHA1:B952248098113948357A93BB127F929763CADCE6
                    SHA-256:5BE9496A328D6CD045BAFBFA8ED05CF84E1FF4F3A42B6463705E1251ADD3BAD9
                    SHA-512:9FCE27AD57CDFE0D8C7ED4C440249DCD0CD3E321499851AA31E0F5936A6AA2D9289A2E35A4B930A6C0B9D36178F183E3B509FFC0F4513BBD04E6D0106BF783E8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....%.........................`.......<.............................. ..Z............0..0...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.546972035784507
                    Encrypted:false
                    SSDEEP:192:b52UA3e24QLAQUu/qcnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr3V5P:bExgQkQUudnYPLxsSJeeM47P
                    MD5:E93C882E77E01CD6780A88898175F065
                    SHA1:B6B74C19CE915DD7F1E0736BAECB19F53E33EE26
                    SHA-256:FC04DAC73D102004E6C65EC9FF57E8E920A0EE843C3991C3774592DDB6E2EBC2
                    SHA-512:C19991FDA64CA971B44743A8B36DDBDE028F0B1E143FD10AC0E1F4D5E3367376F84417A5745BDBE693356959D336330836E98D88739401650628051B9FC1EAD0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....%.........................`...................................... ..Z............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_db2cli_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.818284684488642
                    Encrypted:false
                    SSDEEP:192:Z15t51G1tNUu/qc9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArl9b:/5fsDUuD9nYPLxsSJeeMub
                    MD5:029893BA8371C2CFFC1AA8954B718FF4
                    SHA1:D782BBF64A44028255B4400E8C497E7D0BFCF136
                    SHA-256:382024E00ED7530062C0D8AFB79EB9418B1E6D938056F3ACF37F51FDB94142AA
                    SHA-512:153CFB1AB25210335946C76700725BE84F4FAA72F04ECD284CBA8E5676398457F040A06A903D25B1BE8F8B950F3322401F08793A26D39C9D6AC4F71AD5F36B16
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....%.........................P...................................... ..]............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1849752
                    Entropy (8bit):6.630837743103252
                    Encrypted:false
                    SSDEEP:24576:F6VQzIzc4cJwKgXShEiDC55noPX7RXyLe9F/pv:FgNzw0nhY7RXtn/pv
                    MD5:87CA4185F45402D3A6A206E4AF8A2C9C
                    SHA1:EC871C207E96BD31662A40FAED2ADE644860D52B
                    SHA-256:3ECB26FFA0ACBA67AFA0DC625517D08E3D1F517FA2BB0A4750454BFE460B2B54
                    SHA-512:2D0B506C3BE262C6E3833F0937E0378FB06C1CECFA01088AE11ECD6B5BF6E3791BD04C89A5E9B27329420FED69623D043661226A078139F19447D9F57293CCD6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.l.'.l.'.l.....%.l..,....l...1.4.l.'.m...l.4.....l...3...l..,....l..,..".l..,..&.l..,..&.l..,..&.l.Rich'.l.........PE..L.....S...........!.....@...........,.......P.....*.........................p...........................................................I........... .......@...'...W..............................@D..@............P..\...,...@....................text....1.......@.................. ..`.rdata.......P.......P..............@..@.data...P.... ...`... ..............@..._CODE...\........ ..................@....rsrc....I.......P..................@..@.reloc...*...@...0..................@..B........................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28568
                    Entropy (8bit):4.814879120919339
                    Encrypted:false
                    SSDEEP:192:kLWPu7X12kYBWYgSjfKy3ljfS3fCrNeeMpS2DunYe+PjPBr7ahPO/d3BNJzr9ZC/:kLWPu7By3l7vBe7M2DunYPLxsSJeeMBF
                    MD5:2796129A4CC2E89644F79AFB5666D481
                    SHA1:41D86D77A99DFED2F3B009501755C6579F3368FB
                    SHA-256:268F289400BD320CFDF43CC2F1F74F8D0B1191670647476EBADA726ABF0CE929
                    SHA-512:E29030EF30D245DA5E23B7275FDD88DC45B3A68417988E006CFE84B523759C3BAC1D1C2375877E5506AF3970B4E666683BEC85A4EE15A3A71399ACFBF7EBC1AB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........P............... .....*.................................Z.............................. ..Z............0...J...........V............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....J...0...L..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29080
                    Entropy (8bit):4.791767458193132
                    Encrypted:false
                    SSDEEP:384:kvlPu7Bdel0SIyjxvBe7M2DunYPLxsSJeeM1:/Pel0SRjxvMw2Ss5JS
                    MD5:CCB9BE2027E0C54779E73A396D83445F
                    SHA1:EE517DD232E9CDB64FAA99858AAF57CFCB41FBAA
                    SHA-256:D41602AF37D32A3098D58C0930E4B6F56B80B41883045A0FA35E53141B830E27
                    SHA-512:6084BA04D62CBCB13D40607FB696D1EAEAFD83EDBB74059C1F1CE05A2A621678D557114B6D695051C70FAA1616B11B31FE67C9EB2362BC0795270211A5E42D84
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........R............... ....C+................................4............................... ..Z............0..@L...........X............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...@L...0...N..................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29080
                    Entropy (8bit):4.789815010495389
                    Encrypted:false
                    SSDEEP:192:IxPu7X12kYBWYgSjfKugCUoNva3fCrNeeMpS2DQnYe+PjPBr7ahPO/d3BNJzr9Z/:IxPu7BqBfBe7M2DQnYPLxsSJeeMRJPPw
                    MD5:A3DF7F0CEC5AD3BAB92282F2CFC73AAF
                    SHA1:8F56EF560D43C4F81B3A2CEE24F3328D662228BD
                    SHA-256:05256A86909754FC4F93A9E161E6EB2E436525A4A4B0AE2AF34278764E48A678
                    SHA-512:74F974BEA481B64EF9B350E28C9A1C018C92A1729238A275F03CB423B292BB96E47ED3E6A69E20921099A4723A6CBDCD121A7E6F437F4AA566B645109968AC15
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........R............... ....h+................................F............................... ..Z............0..|L...........X............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|L...0...N..................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28568
                    Entropy (8bit):4.796866870948768
                    Encrypted:false
                    SSDEEP:192:xyV79Pu7X12kYBWYgSjfK0Rufd+2F2L5T3fCrNeeMpS2D5qnYe+PjPBr7ahPO/d8:xybPu7Br++Be7M2D5qnYPLxsSJeeMwq
                    MD5:A6F27DECD1DDF3E3E79DC57A5019C037
                    SHA1:733A8BAB59FFF9993103FDF1FA24507A6C3D79BF
                    SHA-256:98884CFB2F095AE14344D95011C90DCC4F61C9C36AD0E4DB0AE19F8BEEFDAB6F
                    SHA-512:20E5B132BBD1C35D2130B62C30DD9676A0877C4A5BD88E6A4F1AE0B67FA6CC964649F06A5EA7B460C902EB8440072E9E586B4D85D549CB54426F12CAEFB417AD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........P............... ....@................................................................. ..Z............0..XK...........V............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...XK...0...L..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28568
                    Entropy (8bit):4.7850760927125835
                    Encrypted:false
                    SSDEEP:384:WoPu7BkhH7CvNDBe7M2DtnYPLxsSJeeMHyG:iQHGtMw2ps5JkyG
                    MD5:4CFD6B2A67D6DFD8D87797F44F7C67F9
                    SHA1:EB1D263C8A98D4C39A190E83E095CAC50E9CC928
                    SHA-256:D881556D2197E3B5AC14560F6833162C1AB2A0133B3C302A6B6AC453508BFECB
                    SHA-512:D6734344330DC573578C416274AB08D3C86BBCC616771C93D5FDA9A680569613508AC33ED3DDC1E44038C830039FAF014C06F46936D45C93575701985CA7D1D6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........P............... ....j+................................z............................... ..Z............0...K...........V............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....K...0...L..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_dictionary_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):27032
                    Entropy (8bit):5.009393744409455
                    Encrypted:false
                    SSDEEP:192:5Pu7X12kYBWYgSjfKHfl2s3fCrNeeMpS2D24InYe+PjPBr7ahPO/d3BNJzr9ZCsV:5Pu7B/UZBe7M2DqnYPLxsSJeeMrc
                    MD5:0E81F1019C707F5E1E4B6C99EF53D905
                    SHA1:1692FE7EEB4342209D102813D5EC578B32970D4E
                    SHA-256:4B8BB78185F2874FA2078BA4132C0D06C21613723F9E25285684AF6ACED403DB
                    SHA-512:28F66B4AD903E8E8B1B00ED59231BFDF383BE95803B1F8AC63C8A731B6116CB7CE1376A13E3DE49D867C5DC0F30A53ADAB3832F3CECFAE8A860827DBFB3CA9A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........J............... ....@..................................|.............................. ..]............0...D...........P............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....D...0...F..................@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):108944
                    Entropy (8bit):5.735394818357411
                    Encrypted:false
                    SSDEEP:1536:bo1eCjP4jHlb9t0kNWwPY8Ay5EE4RqNDeTODVe1H95Wev5J:OpjAt0kI3q5J9EODV89jxJ
                    MD5:BC090C77B794961702BC6DDAEB23E9F0
                    SHA1:D46BCAD9F894076623D1123D8A8602392C348F9D
                    SHA-256:3455D253CCD87F35A25BDDC66008AF8F041C0EA3AD112A013541259CA3F658E3
                    SHA-512:B0797E535A698A79A8CEBDD9BC5A7988547A4DEB8CB2D8C98F145E4DFE7F089EA0EDD0CCC5B1D702D086128DBEFB80D75BE9627E3788E282A739307EE70B68AB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*j.D9.D9.D93..9.D93..9..D9g`:9.D9.b)9..D9.b99..D9.b?9..D9.E9..D9.b*9.D9.b>9.D9.b89.D9.b<9.D9Rich.D9........PE..L.....S...........!................BY.............$................................(................................,...............P..8....................`..T...................................h...@............................................text...Z........................... ..`.rdata..{@.......P..................@..@.data........@.......@..............@....rsrc...8....P.......P..............@..@.reloc...'...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):6.030864387439911
                    Encrypted:false
                    SSDEEP:192:PWk6a8nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrI9:PT6a8nYPLxsSJeeMd
                    MD5:4154EE4EE4245E447A11E28433ECEC49
                    SHA1:FF317DD08455DDB8089416B035CCF726A8807CE7
                    SHA-256:964E356EA1038D2C4EB4AA5A498F8A60D222822A05A1B93A28EC416F6FF2409F
                    SHA-512:ECA4816037620AAF0978E92F64CFA25D3A1E4B6B3ABCCA34516284ABF494075B240A7049B3B7F82081CCF89A07A73DDC995FC8D466AD7AAD55C97B26205979EC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...$.S...........!......................... .....$.........................P.......5.............................. ..\............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.972433425876648
                    Encrypted:false
                    SSDEEP:192:kWxc8oVqxcIWT6aanYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrypiO4zgH:kWxchqxcIWT6aanYPLxsSJeeMTiLzg
                    MD5:A6B338B1ECFA50DA24968403E3D74C09
                    SHA1:3BAC2F3DE511D7E6F79CFAF6C5E0FF12E46418ED
                    SHA-256:91977C3770233597D5F1A52F6D2251B48E43EE7BC8B51309AFAA8D4324C4D32C
                    SHA-512:2FF5BE879CAF61FFDBB4A8DD0760F1EEBA514952CCD9A152AB6DC68107C06F2A0A655BEB3650F4A8CB2D1965463029098398A434BE7FD6D46D991FF7E2C2D5BE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......9-.............................. ..\............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):6.005194321941107
                    Encrypted:false
                    SSDEEP:192:9Bi7l/1boL06a5nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrBBo:9BiB/1q06a5nYPLxsSJeeM8K
                    MD5:F56119E3079301683229D189E62386ED
                    SHA1:B028489D6C200BEAE0A9DE3484385D06761F1147
                    SHA-256:D9B8EEAFB506959BA0DEB2B901AC915AB546A6DAD57411EC08F2E59E198F2375
                    SHA-512:7E160F93BBA8A526400A1A8EBACD40E2CB658C5B7CE29A23FD488EF426776C9859ACD21499140DDA554CE0B3C81DDAD9CC458219D604FD1A879C0943C4CC18D6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P...................................... ..\............0..,....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.973646253108057
                    Encrypted:false
                    SSDEEP:192:FoOK6a2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrsEeuM:i6a2nYPLxsSJeeMF
                    MD5:31F901CF172477ACC24F2A6AAF03856A
                    SHA1:8F37523FB80E68BC3C712254CB51CD5CC4E3D2CC
                    SHA-256:B9F854DA03CBB301BA54E4957933500912AFB9BAFFB18E2ABB5BF524D874482A
                    SHA-512:EE288CD3F6DFC9A01ADD89030A0CA12BC266547D6C6B05E71F994A260437CF80F57E38212CEF6F6B63558AB5A90B1DBFB34CF2A662E5E3CDE0CCF531FF9C45CB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......P............................... ..\............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):5.961362073129991
                    Encrypted:false
                    SSDEEP:192:DD6aqnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrB5eG:DD6aqnYPLxsSJeeMs5n
                    MD5:97F5D840C7F0513577921E14FD22F2E1
                    SHA1:1E048D145361BA6B0A3A9224E980B75BDBE79DC0
                    SHA-256:03B264DCBF45B11C611C96B078937300F16E68046B03C0A57791A1570C946AC3
                    SHA-512:735C8474164C006D789889BC4A3048C0D1EBF3FFC41E0C2F02F42E89B9DBF953E34F3139BED8366F8799425D94CBE308D63250A251A2BFF968B7D6DF9B71164B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......D9.............................. ..\............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):6.105633617398707
                    Encrypted:false
                    SSDEEP:192:m6avnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr3/dFE01i7e:m6avnYPLxsSJeeMi/dtz
                    MD5:050A5334E4F39D6B36F4EB898FE0AE3F
                    SHA1:BDFA035219525B3EDC74610D354CC6AA2A4FF2A3
                    SHA-256:336F04343940B2A2D56AA32991AF055C47F79C2979AD87B23DDFE1D9A39E6BB6
                    SHA-512:7F6514103DB5F4154BD85411433475A3B1EDA13507E17FB94688FBA4224C1B6A85E2D85F37AE2524D2402DE1BE2D814F651994BE1CE302811FDB0775811DC58D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P...................................... ..\............0..`....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...`....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_fielddef_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):6.010005915819941
                    Encrypted:false
                    SSDEEP:192:tRp/Wckr/6a6nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIr0UaG:tRp/Wckr/6a6nYPLxsSJeeMpUL
                    MD5:C23FAE18521209817CFD603D1D89A4B5
                    SHA1:2835E0678AA7915854490AB77079A6A73137ECD6
                    SHA-256:E964758ECD9A9008D7A4E6510BF1DEE09D8F41133EC7903C9D386E6AA4532258
                    SHA-512:080D07FCCCE4BE7AAA3C26A6C2405501FF5C76D13B22187F3D9EE90C577589B173DADEED547C17E55AD58DDAB59CAD6AE956A54CD6C2BA362F2FD489E9A409B8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......}............................... ..\............0..0....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):486272
                    Entropy (8bit):6.39719995354818
                    Encrypted:false
                    SSDEEP:12288:fDoAMWrRSmekbqOrP0GW6NzcIvCV2RyYoMwG2W+VbuYOBqp3i7UMdKz+dBTCULrz:fDkyRSmlNNzcIvCkdoMwG2dbuYsoPyKw
                    MD5:EDFD89EB9CA1F2353BB4389B4E104A74
                    SHA1:E63BF6F68D74195887EC0DC9E878E93F14DFAD17
                    SHA-256:1ABE8E533DA1E3DFBB8ADAD7926B992A9E01018F05EA9D0F8C2A94511356C17F
                    SHA-512:36444CEA86F3A645395BD0A394D01AED895876CB40FAFDAA009DF4F3749EA3D2123F5AC26CB53C5543E259266AFA25FC7E8B5490230D441C825BF66BB2688C6B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[.f.[.f.[.f...9.Z.f...;.S.f..;.Y.f.[.g...f.|F..R.f..D..Y.f.|F..U.f.|F..\.f.|F....f.|F..Z.f.|F..Z.f.|F..Z.f.Rich[.f.........................PE..L.....S...........!.....(...&......;........@.....$.................................&.......................................r.......................R..........xw...D..................................@............@...............................text....&.......(.................. ..`.rdata...`...@...b...,..............@..@.data... ...........................@....rsrc...............................@..@.reloc..l...........................@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16264
                    Entropy (8bit):5.393478948510737
                    Encrypted:false
                    SSDEEP:192:NKZcU1bgQY9bjk4KnWYq6nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorNdFT4B:NKZcUx3YZjk4KnWSnYPLxsSJeeMWdc
                    MD5:75948A34AEB0C1EAA90A40B255D64E64
                    SHA1:077345D1FB791D7ED09990C5B12AB94162EFFB6C
                    SHA-256:D37B0A8D88B6FB2469D574BD42EE2089E1D79767A86475B4CA5D8B433A1BF7A7
                    SHA-512:065529F2D6F4CFCE47AC5220503AE563E86AEBCF39059E8B9DF22452282CFD1DE13485F971E7AC2786806D27D5F29D4950096528A52A99C6995047DB1D20A865
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......... ............... .....$.........................`...................................... ..X............0...............&.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16776
                    Entropy (8bit):5.393379399990028
                    Encrypted:false
                    SSDEEP:192:GcZ32Oi9IivYlgaTZ67Wxo68nWYqPnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoru5:G83hfxynWXnYPLxsSJeeM35
                    MD5:32B08AA3640FB74C672B43195C036657
                    SHA1:DEFF00AF984DFB1B9111B3820683699AA0D963E7
                    SHA-256:9340F7168F31C8769255CBD051B83C17AF0BA6F0E9E8EFA7FBC87B31AE2D810E
                    SHA-512:10B030E7027F49F47CDF76B4AB8F51725E1AE0ECC42CC5FA84FDC3EF29D51C5450AB3CAA5CA169FECF03094876C096B402B111CCAA9BA4C56267281D2C7E9ACC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!........."............... .....$.........................`.......o.............................. ..X............0..8............(.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16264
                    Entropy (8bit):5.336497002961815
                    Encrypted:false
                    SSDEEP:192:Msp/yyAazOnWYq5nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorm+ZXrkdn:MsV1AazOnWRnYPLxsSJeeM1+Jrkdn
                    MD5:A47DA8C172A55682156ADE39FF34FF97
                    SHA1:32EA55A5C0FACF0DB05377BAD671FD536271BE85
                    SHA-256:5196E7BD93B0D50D5A0F0EB678B749CA8C951972A2307310A70E5037685D32DA
                    SHA-512:DE9932C9163B4321CFFA6DA6A18DB8A9624F9F435603BF132D0E54AEC0D93DD797EF16BC85DA670F8B4B93E162EF89C79A7EB35D9B58E4AA27886E038AFB54CE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......... ............... .....$.........................`......_............................... ..X............0...............&.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17288
                    Entropy (8bit):5.352712639855626
                    Encrypted:false
                    SSDEEP:384:NsI/JB5eBhae2SfV5DAnWXnYPLxsSJeeMfRs:NsI/JveH72ODAnWXs5JERs
                    MD5:842B4F827925237D816C69728AB20417
                    SHA1:066F292F1A3E0E81123DD07835A0C379B941E483
                    SHA-256:D78F0458B7B509132D0263F0936F34DD643D22F5CABF261B3356E91021D925A8
                    SHA-512:D5828D06689EAF68A46A0B4B187A5465C35C492D6F9AF2AA2EF71A8263B375B8E1999ED3589024226E6601A467B314CA5661B59AB4B750E07DFCE278D5E065EF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........$............... .....$.........................`.......~.............................. ..X............0...............*.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0... ..................@..@.reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14728
                    Entropy (8bit):5.9012519747829995
                    Encrypted:false
                    SSDEEP:192:QNpv1FSyxASznWYq9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorks0iuo:Ypv1FSyxASznWlnYPLxsSJeeMj+uo
                    MD5:852A387DCD08C7B3FCA361C59C152A77
                    SHA1:DB5018FB225E5C0C35924EC90675925D7082247F
                    SHA-256:0390BE0DACB22245FE9438FE2337DF34DB78DD85EB4B63802F60E56620DCF3ED
                    SHA-512:DCC8C15760D38F7DD5689DFAA3EB82D003503327B1EC5C50081491455A42C3A8233D5DCACFE0A79677587DCF09E4EED39E9827B130AC1BC404733B6C8CD7B3D5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`......Z............................... ..X............0..H............ .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...H....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17288
                    Entropy (8bit):5.293207956320027
                    Encrypted:false
                    SSDEEP:192:tv4tATuM27j+MHfuHEnlS9VV9JjnWYqZnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMY:tvM5HfuHEMtnWBnYPLxsSJeeM3lq
                    MD5:D699548FD5064EB6CF78EBC431BF4ECA
                    SHA1:67B3A74E9E9D02ECAEE4EFD5365D61C4AFF0684B
                    SHA-256:2A528C9DE59C6D7D4CD4B28C5003B20AD7F5203E19A5F7938399BA942325B127
                    SHA-512:16126B893C800B6C2B4ED62994CA349310C07573B7B560171EFB9434D19D2E36CBC15B547EA87AAE0AAB4E1551B02AE51885D86C16D159F28E143F0FDA476A0C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........$............... .....$.........................`......l7.............................. ..X............0..(............*.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...(....0... ..................@..@.reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16776
                    Entropy (8bit):5.369133546791918
                    Encrypted:false
                    SSDEEP:192:nx71uv9aYgS8NpVtHcROIEEbqnWYq4nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorE:nxxulaYgS+pV7nWQnYPLxsSJeeMt2kp
                    MD5:8218EB62A7D7C946B12644E4382DCD7E
                    SHA1:34B6FCA06994584BEF6EAEC1DFD4D0DE41049987
                    SHA-256:CC36A7BA92A12302C0A215440F881AB60E311DE13E92B3CB52A614E69E08CCF7
                    SHA-512:0FABAD52708F26E5BE879A02DEA0E65A3C94AD431A1896FFD1793E3A0C06F75C818ACEA4CC84979ACC8376556BAEAA99D311E226055235E015C889C3999BA185
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!........."............... .....$.........................`......|............................... ..X............0..l............(.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):16776
                    Entropy (8bit):5.435073933153211
                    Encrypted:false
                    SSDEEP:192:qL0TSqI2qqqvRiB+bTfuK4ubaFnWYqDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMo2:iIPI288B+bTmKBaFnW7nYPLxsSJeeMy4
                    MD5:987936127281A5FF59FECDE5DF3054DF
                    SHA1:FE48D7F536AA03FA9B1D37387A6B33E875874B80
                    SHA-256:CF3CF5FA4D6441A10D8E092E83D5ABBE2B2CF850E91B8343B82DD22447EF79C2
                    SHA-512:393B2A33ED150249B6F12FDCFA61E18E9ADBB5196BD79178D30AC105CACB62E942363B1EB3E4B8FCCFEF3F6AD2D1C7AA8A07A3FD05CEF4818A7F26EF051FE7E9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!........."............... .....$.........................`...................................... ..X............0..|............(.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14216
                    Entropy (8bit):5.899118383842764
                    Encrypted:false
                    SSDEEP:192:u3tTt51GxcETCnWYq+nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMornZoQ:ANfycETCnWGnYPLxsSJeeMkZb
                    MD5:A8E8F01C432B19D577851E19DE7615D6
                    SHA1:A454420D7F23C62C5F74BBFEEA2A854117AC8A27
                    SHA-256:D35061DE46DABCA94A91EBA1758FECA6C4407144D24C6FD2F8DF686C52877B10
                    SHA-512:31CD433E822A81DD3EB20BE6A663112372CC9E03515B70560C36752E2BBEA4E189D37B15778147FC1188EB385A12A11BB8F1515D2DF6F4D3E95CD019785349B5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`......y............................... ..[............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_odbc_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14216
                    Entropy (8bit):5.882468579390825
                    Encrypted:false
                    SSDEEP:192:SwgOnJSE+qFbjVGunWYqBonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorfpDAe:SwgFybjVGunWponYPLxsSJeeM8Ae
                    MD5:9829B0FE6546D3D2CE83CE35E62E602E
                    SHA1:C02AEB7543EAD83C2E06DA77B2F1B87BA8FCC11E
                    SHA-256:5DE7219A8BB26E0AEACB05A5FA8072B20A37FEFC572BBEC2FE6DCE3418B5255A
                    SHA-512:1904F2FDABEAB750BA2C84DA86C59FEF89C001BA492F597557661267A82711BBAC0E612A7C0C145DB5970AED52E8A5992FE55D3BE41BDB7F08FC481E11FBC7DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`...................................... ..[............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):289144
                    Entropy (8bit):6.269939050433526
                    Encrypted:false
                    SSDEEP:6144:KvzS6hwDZOxadH1cIGFXztN5+sKHBtsxrLBn4o0s8XdDFUU5TVOjcEZyAwT:47Eq8XJFfRxAwT
                    MD5:77338254BA1077888D4070634CE7E763
                    SHA1:328A978A002482C6DB8FEB5E95603AA101032A52
                    SHA-256:100B5B185C50A69DF7B4CC8924F39C615E2E4A076CB4E6C8531BD17191BCB0C7
                    SHA-512:C1AD99A7A44E36DD13877D9C8BACE924AF8AFD855DB5758F2FDD11EAD8D548EEC22745FF80BD3AC0BAB86EFB184BEDEEC874023BC0EFFF086B46E5984A2003E5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.............7.q.....7.s.......*......./.......U.....c.P.......C.......S.......@.......T.......R.......V.....Rich............................PE..L.....S...........!.........p.....................$.........................P.........................................e...........................P..x........9...................................B..@............................................text...j........................... ..`.rdata..U...........................@..@.data...............................@....rsrc............ ..................@..@.reloc...N.......P..................@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.70936976798392
                    Encrypted:false
                    SSDEEP:192:k4adopsrtecNqInYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArkr:k7doertesnYPLxsSJeeMH
                    MD5:96BB5050E119B99E805DE5CDAFA9CDE6
                    SHA1:86C2352B440F84F481CEB7F69FCCD8792484C073
                    SHA-256:7E84AEC5D3D5993C9DEC6A56343166D242AC9F62F52323DF49D4D59BDA82D6F7
                    SHA-512:C88CCCD9AC67117CEABC0D4897CAE5201CD7251D737FD9523D894271E0032537B793E616532794FE068BD0F1E4FD3099249AD27305E28C3991B315282B964048
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......b............................... ..Z............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.671549502443817
                    Encrypted:false
                    SSDEEP:192:E2+O3ZtecNq7nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArrumnC:E2pte/nYPLxsSJeeMsc
                    MD5:6E2E9970E756AB31AF7DB15CC0A9D27B
                    SHA1:F06EAD22A2C536CF5A9163BD1B31DD5C366321A1
                    SHA-256:957492AA962450D3FDC2807687A0FCA705915DD7A16CB936FFA4987CBC3A5732
                    SHA-512:7FC8DF27F2B0D9096CAADED8A6E7CBC5FA8EB933C3943546B35AB6C55A1A136ED08829F2A6611964618F1B798C38391700C87547D622C1F1DE3DF9734FCFA9E0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P..................................... ..Z............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.7196059346694215
                    Encrypted:false
                    SSDEEP:192:8ZN0fztecNqenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArd4/j/D:8mzteanYPLxsSJeeMt7D
                    MD5:B1765CE90192BA1AA0334C526794E6CB
                    SHA1:DB8A54AA3F9DBD626D3F76338DA897455A411C86
                    SHA-256:5BC06682C231C0109A7BF79AF00D7D8FC658A761FE798A7FFB1FDC92021B5DE1
                    SHA-512:882B68EF0509B20A9BECC6F28827D17E0521A0AA7A2A3EF030D53CEF9A518BA26F3F5E92A12641EFDC0D3E9D75D63EEDDB44E02AFE8B71387B50A48ECB558E16
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`.......<.............................. ..Z............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.621838442865016
                    Encrypted:false
                    SSDEEP:192:ZwxkoJkvWxfmUjEcsj8MtecNqEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAru1YJS:Z0koq4yXj8MteInYPLxsSJeeMwU
                    MD5:FF220BF017389F77C186901FF9CA677F
                    SHA1:34C40F1B0D0BDDCB01A62681C4AF7C3351A39579
                    SHA-256:2CB86FCBDB0B6A73B964D29BF7DD0EFAC6F201CDE305CEEA4CEB249725A9935A
                    SHA-512:9ACF9B695A39EBFBBAF65190205399C1B7642DFB7878DDD8AB064CD6DA3BDE1DA66371EE7BAD6C51751C673035E9344071A50417AD47DB1457934BE2BCDB610D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`.......*.............................. ..Z............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.635815238350562
                    Encrypted:false
                    SSDEEP:192:O0aKwNORgMKxqf1tecNqXnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArymKAg:OfKwqF1tebnYPLxsSJeeM3og
                    MD5:6440F120FBC64B3E58786E88445012B8
                    SHA1:A26E805F64CB5F0CF050ACB6EAA7BFAF02F3B0BB
                    SHA-256:5D3FE5B8757691E6CB3E031641B5B4D19EA8B2E0A09911A01C55C186AE420D4B
                    SHA-512:9E648DD522C7CD5C0E57B0D36DD683B83B3A2E58061C977F759AE8558D00853F813511E890D0CF34A279F139B0E20C447DBDD9743ECA803DE1713FF79FE394BE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`..................................... ..Z............0..p...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...p....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.632778117444635
                    Encrypted:false
                    SSDEEP:192:8uBY+Hg0WjDH6ctecNq3nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArV3KM:8OFBWjDJte7nYPLxsSJeeME3t
                    MD5:1F12AFE744FBC7D3029C710C87B33A12
                    SHA1:F5D69D74A8124D538F57208B0E3A497B931D92B8
                    SHA-256:0D35FDC84023EFD03C80A8A6DAB2196786379422D98E78E33343B62A6F54C5D6
                    SHA-512:369D85DDE9E9732F932E173479891ADB88CCB58EBE4A78770618876EF485133130F54EC9935AA8D29D0BE511BCAA3E8FF40BF4C2CA21A82BCB3B13EA044A40DF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`......>............................... ..Z............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.660936611234428
                    Encrypted:false
                    SSDEEP:192:s9DvthNgtecNqlnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArBhtWr0:sFvZgteZnYPLxsSJeeM6tW4
                    MD5:E8728E34BDF15C46D8CC8FB2E4BAAEF5
                    SHA1:510777785EE82A96DFE5294498C7A731AA5A010D
                    SHA-256:2E651D9F19352608ABCC47E57FA6CA01594C6FAC8BFA4DA4B3EDD3E78D4CDDA7
                    SHA-512:74ADAD5F2B4DCF9CC8906D65AF572EB20767334E3A86A30936223A46A5E8E3184B5419270B556EA59EED01C7954FDCEAA2BEAB83D89B3BC7AAC5704ABFB4929F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`......9............................... ..Z............0..L...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.695659572561126
                    Encrypted:false
                    SSDEEP:192:bfbRUMkHtecNqenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArfe4:bfb8teKnYPLxsSJeeMV4
                    MD5:3204B1C8B1B60CBB692BC2481AC645DA
                    SHA1:01B3FCFB0D505676F757B9BAC634889FD523E3E6
                    SHA-256:EDE293586ABB1BFB7F7281624EE7D28AD7483B0998AB097E385080619A9365D0
                    SHA-512:74B448B9B3F10C56536143D4786D5C4EEAEA8585646B733E655BF70BBEE9B9D065CC36EF6587AF0AF6DC3C05C95F487D701C788015E2D734D6703B200E26B24C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`.......O.............................. ..Z............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.959348921534074
                    Encrypted:false
                    SSDEEP:192:edQ3dJTvj82PjcLPEL6tecNqsnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArIi/jei:eyNd4mUrteInYPLxsSJeeMzkSdk
                    MD5:E2006C18764128EA829184B85CF00FC7
                    SHA1:20412622A4F1659A5578882438BF2C6D7DE8216B
                    SHA-256:9930CB5D20005D9E6E34CB695F2E9F9FD55C80AF41F3DEC20FF0E4B12C5E73C2
                    SHA-512:C087280060A454BCAFCD8DE0DC2475D0BF1914EEDBFFD6186B0523F0067AC8501DDCEDD29E29AB352A9E7DB87555C9502BBD7F8D77B962E66387AB814B0322C0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......q............................... ..Z............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.757036703357163
                    Encrypted:false
                    SSDEEP:192:tXVcYqC+AtecNqLnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArZ0RRm:tFOC+AtevnYPLxsSJeeM8d
                    MD5:AB76EEB22250C1A5C80F43EEEDD56BF8
                    SHA1:B0AD7C30CF470BB5CEA69EC9E16FB4D4EF7A5BFA
                    SHA-256:AA5EEB8904BB4E1FAD54824BB0722136F5DF080F92D9D42C95D1BE0B0D1ADF18
                    SHA-512:C9C2AEF23C30D428A867239306256A7EFF9608E226FE0290470DE72992E2F573C5CAC6941AB60523F4F478665EC9A04E3CCCCB766EF2C3307F7D4410AC31C0C3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................`...................................... ..Z............0..T...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...T....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_oracle_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):6.01484545717329
                    Encrypted:false
                    SSDEEP:192:/qRXtecNqmnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr6WJXr/:kteKnYPLxsSJeeMAl
                    MD5:2E566BC57D29139B9997A2AF6A8F07CE
                    SHA1:90E8E19CF4C8B96748008903F3FBECEEFB35F554
                    SHA-256:A998C93978479A5B7C8BC3CC34A540C177101CFC517E4F73F771A136CBEFF1F8
                    SHA-512:535AE8DB8457763D9FBDA856DE2BA6B2136419F05868A691B2838D8BC162025EFA07A36B5F482A87EF95E09A6444BBDB06E2ECCC825835F2E461ABAF7A4E1148
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....$.........................P......-............................... ..]............0..p...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...p....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2bact3.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):248176
                    Entropy (8bit):6.439351331030095
                    Encrypted:false
                    SSDEEP:6144:dAQDnEMw9dFh9HcfVkGlOAQ16c3vP3VgL:JElvHcf/u6iP3VgL
                    MD5:33FCE6763B698194E316E6E958E1CD32
                    SHA1:42C3EB135A63E12054D2B51D6DE397A5333923CD
                    SHA-256:018482AF9725BBBE8C431CECDE333DB510B98CA80F997A9FF75C9B9D1AD502D1
                    SHA-512:A7CBFD2C9EAF9B67DD82033BE8A6A5D431664A2ABF7D7E10D7E51543754D8F589184A1CBE812CAE4DA7D9F537DAD5D6DC8706AFD2CBCBE1CC548BD773B50CDE5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:O..[!.[!.[!.%._.[!..L.[!..\.[!.qT~.[!.qT|.[!..Z.[!.[ .I[!..O.[!..[.[!..].[!..Y.[!.Rich.[!.........PE..L...F.S...........!.....p...0...................;+................................>X.................................._............@..................p....P...X..................................`...@...............4............................text...jk.......p.................. ..`.rdata..o...........................@..@.data...............................@....rsrc........@....... ..............@..@.reloc...t...P.......0..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2bbde.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):305552
                    Entropy (8bit):6.468445981282974
                    Encrypted:false
                    SSDEEP:6144:/QE31Fdpj6DprUgeNuTFeABn9F5AhfrVEZ4J44tlDBRLRwJb6AHrUkOA40Tlcw8a:ouXynHAlrVECJh7Rwl6krHlcw8qLF
                    MD5:AB8E88B4B54B49BDF4871138C6595806
                    SHA1:A36215A36F6F60FAB6DD8F58C887872504190EF9
                    SHA-256:9387E62B8B3A2E1AFFF85B2DE6904FF2A99F62671F5F575BCC72E6F6387F40FD
                    SHA-512:14AA4874D91502316A2106860FF4FD6D9BD10D958CE02BFAECCE7F357919F84398D1A2D5ACFBAE197041FFDFEE0511EA843F816AE721B604F489D4927B6B5CBF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}..c...c...c.{.....c.......c.......c./.<...c./.>...c.......c...b...c.......c.......c.......c.......c.Rich..c.........PE..L...Y.S...........!.................+.............&.................................k.................................._....u...........P...................@...]..................................X-..@...............h............................text...j........................... ..`.rdata.............................@..@.data....1..........................@....rsrc....P.......`..................@..@.reloc...{...@......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.074806624462214
                    Encrypted:false
                    SSDEEP:192:pGfddCnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrwH2rN:pGInYPLxsSJeeMKh
                    MD5:C7025312202D854DB0A378C7AADDCA54
                    SHA1:2E091D1F9197141773A37E8F2C0EE6758E9EA99C
                    SHA-256:654842CC982357B8028AFF8CC3A1BACEF4D622E927D4E1B470C1E17B5AF08214
                    SHA-512:856F5B4D36166C64F1FD206C20604DF2CD514CA13258A8E58C12F4A21B2D17045279B7FBCAA1B64DCBBDE2ED10A3A8EA96D0B95F4E99583C6A0F9B18F3550A43
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...7.S...........!......................... .....'.........................P...................................... ..W............0..$....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.055502224911774
                    Encrypted:false
                    SSDEEP:192:SBh0BEdInYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrU/FMwr:yOBE2nYPLxsSJeeMnvr
                    MD5:7CF67EFA6AE8B73A72AE4801EE4765A4
                    SHA1:AD8C8BC9CAB8FB190559A1C8DEEB81E7419829A1
                    SHA-256:3A39EF13C9E2E7AB585AA2B8140C63A0904E38041848D88600121025E178401B
                    SHA-512:767CE83C9ED73F235D2BCDEF7F97C5B5C8A7C4857C108A44138D0C117C41782081E1EC93A48A1931F4B8B8C97C1C5042FE66C731EB36151674E99158845808C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...K.S...........!......................... ....h(.........................P.......J.............................. ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.061653547111637
                    Encrypted:false
                    SSDEEP:192:wzvDdynYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrFSx:avDknYPLxsSJeeMJ
                    MD5:01E61AC40CC0D75B7AE3EC6B9FC5D5BA
                    SHA1:B8F8671ABE9AFC9DC4BF3C781EE2C490B3567F7C
                    SHA-256:DBA67EA6FF7987D126F0BEEDCBAAB02B537D719F654CC78BC3C0DB254E9AF9FF
                    SHA-512:CCB6BFE0D98B24F0B0C54ED08CC8B5542AE7DC0C3B721842EF42FA777BC9E45990B40F1B46EF4FE5224D77821E224164FF2AD3607103FF3897AEFE832A7AFEFA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...Y.S...........!......................... .....*.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.080989153419573
                    Encrypted:false
                    SSDEEP:192:gHXb7idlnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrMyQu:gHXb7i7nYPLxsSJeeMRyt
                    MD5:74087D61726F24E833C01DEECA667A9A
                    SHA1:5CC161BC28056282C7D8BD929D4F6E5E4226068F
                    SHA-256:2FDDAE95C730B106AC325B4D1A66CA0968981424B29F66DCDD17B4F7D5183BCC
                    SHA-512:4000CE4F47F66F424983A7E50625B0921BE4B2A9643D78B4977A822E95479AC1011BDC0307CB2DA7A2138E3A20478AB05ED751C77C612E78528DBCAC9608DD14
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...o.S...........!......................... ....@..........................P.......6.............................. ..W............0..L....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.063418767127035
                    Encrypted:false
                    SSDEEP:192:BLy6Jhd2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrqwS:BLJhknYPLxsSJeeM/
                    MD5:E817E2BA3FB78DFF2D3F6DFEB3530D71
                    SHA1:484485D0B5BC8A2B63A8F16FC31E41E3B10A9504
                    SHA-256:05AFA62523FCDC7884FA1960F603D36391133800040D035895752D465CF72A79
                    SHA-512:C2F6E5C8E86EBA78239BB6ED8E5EEF4E90CFBCEC3D8E21BEBDF1EDBF95D16870C7AED56FF82FDCDE8EC02B587455A544964BB1A741111F1CF268809905ACADE4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...V.S...........!......................... .....*.........................P...................................... ..W............0..\....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...\....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2s_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11136
                    Entropy (8bit):6.154286884810523
                    Encrypted:false
                    SSDEEP:192:PPZdJnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrFuCs6s0:PxvnYPLxsSJeeMuuCsU
                    MD5:1A55E0B4258EFEE44C94FFBC52D39373
                    SHA1:16AA1F442FECB8B7DB04F460B45188609C26863F
                    SHA-256:1CE8E9D865875A3619AF54C2E655BB92616847A2A74D7D2000FEDB0DC5EB691F
                    SHA-512:19C3CBFFDABD53AB3C2388E75B65751717F719E8516D0E1BDEB1DD60F3CADB4F9BF7F1CC663CA020DD341BED11AAD46AE25A3A16BEF2168BB6141A3E6E048EA1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...S.S...........!......................... ....@..........................P......u............................... ..Z............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2soutlk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):235904
                    Entropy (8bit):6.396342390531452
                    Encrypted:false
                    SSDEEP:6144:jXq07XklNG7KAHU8OzPoIOATCLKGaK+j0Sm:PXkC7KgsEFKQ+j0Sm
                    MD5:FD693522B8123E2989D0FE6051DA4AD9
                    SHA1:042C89B62D484DC88B398A9B71EC39073D8060BC
                    SHA-256:3F611C4953D20A15129D63EAD56603DB3B67C99DBD4565FD3EE12BD044BAB317
                    SHA-512:130E7A5F8B518D1550BEF7A089A830B48B254F4F0EBE63ED24FAEE84B9588AAD42CA244F3DC8215A100E4ADEECAA614F034083E3718E2D786CE38A784ED53D06
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3K..w*}[w*}[w*}[...[t*}[P..[y*}[P..[p*}[.%"[v*}[.% [.*}[P..[p*}[w*|[v+}[P..[h*}[P..[v*}[P..[v*}[P..[v*}[Richw*}[........PE..L...2.S...........!.....`...................p......................................................................P...n...\........ .. ....................0..$H..`s..............................p...@............p.. ............................text...ZU.......`.................. ..`.rdata...z...p.......p..............@..@.data...l#..........................@....rsrc... .... ......................@..@.reloc...a...0...p..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_p2ssyb10.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):3074424
                    Entropy (8bit):5.979956084469814
                    Encrypted:false
                    SSDEEP:49152:LoO4Z/abG9dvDpjjYYyR42eTLIOBFM1SGBBaNTj:6pHV8ZR5eTLIOBFMkGD6
                    MD5:A72B2A6171BFA5CB19F878311ED838C0
                    SHA1:668C763F31E773A2019A6A976947D951322C6775
                    SHA-256:C4A290068C7FEAB98CCE3EB2C4E98E90E106EA76009F49769770382EE9AA2767
                    SHA-512:EE1CA7912E693F820225020FD0DF2C4897E48F940422AE11EB344C7B8143479DEBB4E8FE1D45E71683EC86089E6F7B4B091BD314BB9348AA96B9315439200F1D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[.^.5.^.5.^.5..CK.Y.5.yAH.a.5...j._.5.^.5._.5.yAX...5...h.Q.5.^.4...5.yA[...5.yAO._.5.yAI._.5.yAM._.5.Rich^.5.........................PE..L...X.S...........!................&4.............)......................... /......./............................. .*.J7....*.x.....-.tQ..............x.....-.......................................).@............................................text...^........................... ..`.rdata..j........ ..................@..@.data....{....-..0....-.............@....rsrc...tQ....-..`...@-.............@..@.reloc.../....-..0....-.............@..B................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):248192
                    Entropy (8bit):6.4390748077588995
                    Encrypted:false
                    SSDEEP:6144:3AQDnEMw9dFh9HcfVkGlOAQ16c3vP3VWU:3ElvHcf/u6iP3VWU
                    MD5:6B99FE6BC54F81482AB5AB80016BFE3C
                    SHA1:3728F3DEA4A0A8CB0E4996E047F32F036D5953BA
                    SHA-256:F332E6D0F40FD792A413616C05FE52917AAE558AE352A4A1372F040CC87C1D5C
                    SHA-512:D5D0DDC38A19405E096BB2ED715D8F60130626F54B1679D61E4553DF1B4B5D4E147A960A15208F685724683D7F7C5E7899BFEB984F847A7B9A16B102CC4B337F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:O..[!.[!.[!.%._.[!..L.[!..\.[!.qT~.[!.qT|.[!..Z.[!.[ .I[!..O.[!..[.[!..].[!..Y.[!.Rich.[!.........PE..L...F.S...........!.....p...0...................;+................................._.................................._............@.......................P...X..................................`...@...............4............................text...jk.......p.................. ..`.rdata..o...........................@..@.data...............................@....rsrc........@....... ..............@..@.reloc...t...P.......0..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.979132992617695
                    Encrypted:false
                    SSDEEP:192:ZfXSyMMnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgradne89:ZvMMnYPLxsSJeeMrz
                    MD5:E7178529757947CB2A8B0C3A88480AA2
                    SHA1:8834C80730451BFCC2DA900C38AFAC3022B10C07
                    SHA-256:91DB703681CC1DAB50B96B16A78AF6029962AD64FBDF8440B0B01AA50838E266
                    SHA-512:D7FE45225CA30747D6073514CD8B3FB77F144BAB9986360468FE0222F169DF3D4A61E50C977F2AFD28C626E84F42C118E315F6358A8F29B7659569C0C89F2699
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....).........................P......r............................... ..V............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.922055634592923
                    Encrypted:false
                    SSDEEP:192:OyBkBXIyMBnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgr0vc5w:OSuMBnYPLxsSJeeMk2
                    MD5:8671908D61DED5D54BB4B2F40B00EA41
                    SHA1:8E6FB6965231FB49743566B31631231A64C9C942
                    SHA-256:8B17FD5D187DE3C2ECDE7CEA2DDFBCF860955CB8E69B3CDDDF65F6ABFC0AEFA5
                    SHA-512:222806A6517B4709C65CE8B048D3A32CEE988668294D611F9388FC564A9CAD3E96C248D1C657DA3B0199DC2D1F73B129AB2F4D2657DD1AE16FF74912D98A633B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....z&.........................P.......C.............................. ..V............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.909257931532564
                    Encrypted:false
                    SSDEEP:192:p4XLyM6xnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrWcsky:pXM6xnYPLxsSJeeM12y
                    MD5:10349C48D839C5F4921B4BBA84AA585E
                    SHA1:693CC785C498B4DD81B51C1B61031869BCAC793F
                    SHA-256:656830CE3FE0BD65DFF91F2D4038E6076DFCA52AE936F683096CCA7B6137471F
                    SHA-512:99ED56EEC1BC47A45944653F4EB647ED9DDFC0709C407B272AF66C91CAEB2C35056583BBCE892F9BC5E1A72A45B240BD51428412BDE231AB73AA50104B57CF3F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....E+.........................P...................................... ..V............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.932329607896211
                    Encrypted:false
                    SSDEEP:192:3X5AyMHgnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgr+1RVWynK:DMHgnYPLxsSJeeMjxWf
                    MD5:628DF591D4A896BE74E2E38CA79E0FF7
                    SHA1:DEA8E8B5E777CF843EC57632B11472F77BFA0A4C
                    SHA-256:5C6F8DF14125DFBE3D979A152D7D9B50213CE211D8A45E4F91A800C44179A220
                    SHA-512:6C0CBECF15144A68A062AF92701084584E3D92AC8AF98F2F270583E2CAC5AD3790A71905175B62988BA3BABD6C66B1663AE859E62ECE5F2AC9FF53DF6313E3B0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...2.S...........!......................... ....@..........................P...................................... ..V............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.978369541609794
                    Encrypted:false
                    SSDEEP:192:Q6rzvXW7yMcnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrp7/pAz:Q8eGMcnYPLxsSJeeMQ7Kz
                    MD5:A2AF4C338DE9E376367A3C682D8E686D
                    SHA1:ADA613EB6A83535FB15A6443A4052E4132FDEBBA
                    SHA-256:7D111094FE844487D1E99B9C5D094B26CEA46E2B7173208B6C24026317C590A7
                    SHA-512:E7C565070FA32E61B1C7739E5C9E635B1359F974DDD77BAB5539ADE42636D446E7D5EDEA993495D37ED2E333B27F2D15A86A0AC7CA3DFD208C29C03ABEA5577E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....+.........................P......?).............................. ..V............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_pc_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.062339350329289
                    Encrypted:false
                    SSDEEP:192:z8XqyMLnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgr8Z3+M:z+MLnYPLxsSJeeMXF/
                    MD5:F70C8252B6C517F52CADAE66F3640E41
                    SHA1:66A17CC175CA0A71061F2D9BC4E4C86E4A69E665
                    SHA-256:51FD7C66842EC84A4FB8BA171D8FE94B1B791179A04AC25CAD0012E0C87A03F2
                    SHA-512:BB23DC0A0C43F73BABCA5E721F645370BA049984133BEF3F0F45C1D7CCB9C069B8F11B69BD3D583A81BAC7DD65B9ED1CD22924B00B5C4FE0A3AA485B7EADF928
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......-............................... ..Y............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):362896
                    Entropy (8bit):6.567134576234215
                    Encrypted:false
                    SSDEEP:3072:XtUjTTdhRJTn82GmNVOv+eMm/9y2qRc1dZlt4Ox50Loiov/MmNoctR0njm5XPG1P:XtUjTf5NVPeTHje1Z6U3bOjZGkaWHFg
                    MD5:250FD84DEB3BE943749E9205D34BEFCC
                    SHA1:896353AC1053077E06999C54028BAA4736C25ED1
                    SHA-256:284955D928404717D509C4ECDB078087A3A980F0F68C98D2D95DBB5BDF9E3386
                    SHA-512:F545ECE996A024D490627784580D21DC5ACFB6F968535474596FF12142F2ABF448E4AD1E273900BB55D2AE5C159A3C8216C4767C6F729AEC3238EDDC6DD1B328
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.d.4...4...4.....U.6.....W.>....$t.1....&w.3...k...%...4........&q.3....&g.$....&d......&p.5....&v.5....&r.5...Rich4...........................PE..L.....S...........!.................*.............).................................o..............................P...x...0v.......................p...........M...................................................................................text............................... ..`.rdata.............................@..@.data....R.......P..................@....rsrc...............................@..@.reloc...m.......p..................@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13200
                    Entropy (8bit):5.829166732171401
                    Encrypted:false
                    SSDEEP:192:W5s+/hHnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrB5PQ9XM:gsshHnYPLxsSJeeMk698
                    MD5:962A8DDFE96276F65E44611C249DF204
                    SHA1:35B9E2C2D4FD2AAC119C4D6FEF7F14729760EC2B
                    SHA-256:5630EA7ADACFED8980A89FB49C0C883BE646C4D1EEC037D7E2F15CE54F4560AB
                    SHA-512:84E2E76D9371FD91EE2EF4A0EAB97D70F68585425907A1DAF3BEF9D30B953A1974F94EBDEE4F059123FE30C663FEA9606B278B3DBD9B0BCE83CCFDFE8E154C4B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....&.........................P..................................... ..Y............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13712
                    Entropy (8bit):5.762532273703946
                    Encrypted:false
                    SSDEEP:192:bBwuEZv/hKnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrB+:lwphKnYPLxsSJeeM2
                    MD5:404A22965EE91AC714439627985A22B0
                    SHA1:7DB399B3E9E1E219E0BB21B49709E90E1928A14F
                    SHA-256:088E83F45635E2E5AC4CA02415460375FE2ED483512E7897D4CA7E67A6361CD2
                    SHA-512:7255E787B7A587362E95B6F7990FA442751E0EFAD25632F69EA6A4CF6CBC17D5455B3DEDFDE444CA1BC029D76D988839D051E68F7C991864BD86DCE29AE17DE0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....&.........................`......0............................... ..Y............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13200
                    Entropy (8bit):5.786245240431825
                    Encrypted:false
                    SSDEEP:192:Q/hnnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrW1Ub:+hnnYPLxsSJeeM
                    MD5:E059231C4261DCC3B1478701F3220054
                    SHA1:FD4BA4CB6F0BA832C2CFD2E88B7E08A3AF2DE430
                    SHA-256:A08A2C7F39B8425D3DF226D036684633E19EEF8F287CA0A09C546F89CB5716FC
                    SHA-512:C9AA08E1DC41EF79461F0D2A2974C66D4982BD4FE97287C7C1A17B102E4EE19095C5665F8729ED481D75214D5E530FBD892928DB33D108AA60EC9CF5EB9F1B2B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...+.S...........!......................... .....&.........................P.......^.............................. ..Y............0..X....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...X....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13712
                    Entropy (8bit):5.824225848054239
                    Encrypted:false
                    SSDEEP:192:zsMA/h/nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrlXznj:ozh/nYPLxsSJeeMITj
                    MD5:032BC2C20A962BC8FCE7D0D55EE4CB50
                    SHA1:2CBEEABD7801C9DB491E37022DCA9475D011F7C4
                    SHA-256:1D06A81EEBBCCA7BEEAD8BDCC4FD82899345523A9162A2C57F6D695A134AF20D
                    SHA-512:4D05E274A823927FE72CD5A1A9B76BEE9E9EA8F4F409E7363D1D17998965EB59B5061EFDA9F82A1E98E5FA5E823B48EF8FDE88435B883EDD83B2E9B982A239BF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...A.S...........!......................... .....&.........................`.......F.............................. ..Y............0..,....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13200
                    Entropy (8bit):5.769639685684778
                    Encrypted:false
                    SSDEEP:192:teU6mkyO5RNBj/hVnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrOuJA:UU7dMdhVnYPLxsSJeeMa
                    MD5:D6827424A29994CFD485606E94C7D689
                    SHA1:4422C28D8FA182026F01A540C1DA0C101327E951
                    SHA-256:BAF027F186B4D1D3CB73E29B6552739EEB27D9A56FD75423A3AF23A06C11CDD3
                    SHA-512:9E1F0B5E7B4C0D3BB59888105F723C91EEC6EE4C5983A205F7818C9A38036FFA14F56427F93A8AC75995AC9D6D707D328146D4F408D4459BFDD9D3044FD2876A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...).S...........!......................... .....&.........................P......{............................... ..Y............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crdb_query_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11664
                    Entropy (8bit):6.167206412301164
                    Encrypted:false
                    SSDEEP:192:JAlY6YQYOjFJ/N/hMnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMIrNFk5sD:Kld7RdhMnYPLxsSJeeMQFk
                    MD5:C2F576D635AEDEDD51AB80E4D88E765F
                    SHA1:AC7F7B16EC0CC10C3F7300E8F2348973784B84C6
                    SHA-256:71BCF927C24C7BEB9C59F28CF347EDFB7CA3A4D280E6C42CC4FA185CB97DB9B8
                    SHA-512:4E18C7F68135F6798FA5B5AAD953FBC96F516F1286A2F55F4AE8208AA9CB79EC351691BDDB5572470B020F815252247851581057ED66D5C8261A41B465AA1E50
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...&.S...........!......................... .....&.........................P......G............................... ..\............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlang.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):440696
                    Entropy (8bit):6.573817126006041
                    Encrypted:false
                    SSDEEP:6144:zF8UgOf43YrBqrm7rRSyX+X/FDv0jXOQElV7XoWu9Vw:1g+qSjX+N7oX+lVEZ/w
                    MD5:2FCC1D5369CFD2849AB5A5CA06642948
                    SHA1:6253308AC6BC869AE66B0F7BC850F8AC538D6F0D
                    SHA-256:5A0CFE49A1F5132415E6B25B3651C7C334693A030C00321AB090BF4B6D1D79EA
                    SHA-512:4C1AF9717F93B772A71C27E38C609A8B9386FC00A895114A194D7D12DFF749BDE932CA56CF1A5AA8F90AF7B8729B0CFF0BA0271CC8E6CE28102CC3DC468A814E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j.._j.._j.._..._l.._..._~.._M.._}.._M.._..._M.._i.._j.._..._M.._..._M.._k.._M.._k.._M.._k.._Richj.._........................PE..L....S...........!.................!..................................................................................n...,...........T...............x.......hH......................................@...............p...|...@....................text..._........................... ..`.rdata..n...........................@..@.data....a.......0..................@....rsrc...T............@..............@..@.reloc...I.......P...P..............@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1456512
                    Entropy (8bit):6.176949583331767
                    Encrypted:false
                    SSDEEP:24576:jh5nk+VFSiqlKGQdmUeGao1dTrYYkHFFRHWEG:jvnk+XjiudmUeGaoYYsFD2EG
                    MD5:956F6FAF524150E4DE4147BE8B45C13B
                    SHA1:1BFADB5685F7A4904966B69335E164C55A0A936D
                    SHA-256:B8EB744AC445D22B8F00BE34FE28479B3C2A7B9EDF4E19E1B34A97A70FFB4CF6
                    SHA-512:CF3BAE5C54B4E63F6E8FA82E5D8FF0E7A2DE663E9699CEE1749C44542EE51AC66978286A419CD91F9A87F0B43170D79D4A624075618597FBE040CE2BBCC48040
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..J.p...p...p.......p.......p.......p.......p.......p.......p...p...r......9p.......p.......p.......p..Rich.p..........PE..L...@.S...........!.........P.....................(.........................0.......=......................................\...@....p..X............ .......`..t... ...............................P...@............................................text............................... ..`.rdata..BK.......P..................@..@.data...|M... ...@... ..............@....rsrc...X....p.......`..............@..@.reloc..r....`.......P..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.183101355716846
                    Encrypted:false
                    SSDEEP:1536:PgE0ld7QfEsdFh7bG6jxtAStdPMtBxB/bG5Ja:PzdPi6Lq/bwJa
                    MD5:FDDEB202B875207448209CC6018FBEF6
                    SHA1:F07BFDA31D48512F947779CC2D1FA14DA4D4BC6F
                    SHA-256:676CF4C65FA57C2398034F61CB7D9C56811B8B5DA712E961944E9D1B71EBA3D9
                    SHA-512:7C628D0CCE3C3ADE958E57B75D0AAEBDC02023F245863B22FBC8D06A560493936870F4FE61B0293931C94C2D011E69BFB6D7F45AAB29D6498C0B27B52F4E38D4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...u.S...........!......................... .....*.........................0......Z............................... ..T............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.183976797710087
                    Encrypted:false
                    SSDEEP:1536:TgE0ld7QfEsdFh7bG6jxtAStdPMtBxB/1t5Ju:TzdPi6Lq/1bJu
                    MD5:4B61B06FAB90C0BE08BE804DDEE76184
                    SHA1:BF29A50B60A3587EFFE3EF30588089913FEF261A
                    SHA-256:2AE7831451B81209A6717A129820888D3B7470276BA643B299BD4C2CE930B4FA
                    SHA-512:AB2D512B132906FE1CA054AD0FAB0C3A681CB2FAFAF910CF246AAC0DB8943DD90CB8705E034D721A4A53B028D7E53E22586CE9151BE83178B33D99E8A925900D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...G.S...........!......................... .....*.........................0......>............................... ..T............0..\.................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...\....0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.181516732128139
                    Encrypted:false
                    SSDEEP:1536:KgE0ld7QfEsdFh7bG6jxtAStdPMtBxB/hDV5JZ/:KzdPi6Lq/hDzJZ/
                    MD5:41A229F8B75C9B2D126090415FD06F98
                    SHA1:B32568256694B41D8F3928F921A2FE2070EFC013
                    SHA-256:1A296D192EF994F2F5FE0D0BAE3DB2968B6A75AB1389DEB78F7E32EA906D733B
                    SHA-512:1D1BD1BC2AE5D50A8A7A07BD109D9D8D8C72764747AE94A51DD6FDFC0697CD8A2ECBB4A8C4C0891295E3F7C491CC2A0D0809EB1E266F5B0610C8CE9AACB6BE18
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...W.S...........!......................... .....*.........................0......}............................... ..T............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.207622028789361
                    Encrypted:false
                    SSDEEP:1536:9gE0ld7QfEsdFh7bG6jxtAStdPMtBxB/Xn5J/J:9zdPi6Lq/X5J/J
                    MD5:87DA2C0591697BFEFF701D4C61D34D01
                    SHA1:46043ACA97AAAED195163DFF4A75501BC72E7AE9
                    SHA-256:E437CB0F5FCD8521435A2132144EF86C811973267F5363445B073EB46420CB5D
                    SHA-512:05CD8A16C28B31A3E274EEAA53EE42C5BD31CB9DCD9B6070F087E23565E6263A65E335DA33ADC59E600D7CAE678635DFF6BF10F669EA0A5980F7B6CC3FEAF9A4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...`.S...........!......................... .....*.........................0......N............................... ..T............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.199422512537432
                    Encrypted:false
                    SSDEEP:1536:KgE0ld7QfEsdFh7bG6jxtAStdPMtBxB/yG5JCl:KzdPi6Lq/ywJCl
                    MD5:43139735D6B5FBB120F3E93F618AAD81
                    SHA1:3EB9C92050A217B10A0B1F19C8C248E33F2D9F8B
                    SHA-256:F2E30E8F2F283238B6952A8BCE738021B5175D71C72B9B1123EBCA39CFC623C4
                    SHA-512:56322A97B6958023C941BD900B79D5F0FBDCA8D298F394A7D424A471F54C66DF701EE64286212CF285D125FE4EA4EC34FF55F27B83D1004661AC212701E85B8C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...].S...........!......................... .....*.........................0...................................... ..T............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crlov_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67464
                    Entropy (8bit):5.204819660170329
                    Encrypted:false
                    SSDEEP:1536:nkxgE0ld7QfEsdFh7bG6jxtAStdPMtBxB/oI5J7:YzdPi6Lq/oWJ7
                    MD5:09BBF350DD159A32F584B6862FC176D8
                    SHA1:BECA72A0D8D1D7748E4551F3ACB1F32AE0B84D4D
                    SHA-256:9B966CFFD8660EB8355A3C1F44A324EC1E8B268921E0FC826D93FB8488CC0DF1
                    SHA-512:073D0B6FCD66FADC527811FF332C666281ADAFC86223A3B40E9FE5C44309ABFF4319202CA13B7339278FF44E50096DD481617E84392562EB93DB1D7CD745CD92
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...r.S...........!......................... .....*.........................0...................................... ..T............0..d.................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...d....0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1575304
                    Entropy (8bit):3.117273150261199
                    Encrypted:false
                    SSDEEP:6144:+gF7O7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEu6B6bVue:Hv0KVuc64Wcv1lOYgD1iFFHe
                    MD5:69F949C6DA2B5686D795DE7391CC55A3
                    SHA1:5D9BCBD94832C03EFFA478B06321D3CAACDB8AD2
                    SHA-256:1EEC2E81D4EA0D365026C3C9317196D53357352EAD61550C5D27B61F93844B40
                    SHA-512:610FE7F518CF61FE363EFDB27C185784F7A8E3AC56C010FFEC0262A4EF3FFE1289D8B802250810EAEF136E4B41976EC7EF72A12279AB9017912B3275F547C469
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..................................c.............................. ..U............0............................... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc........0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1567112
                    Entropy (8bit):3.1108850781283204
                    Encrypted:false
                    SSDEEP:6144:vgETI7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEuk0QUxCWuVkmPQaO:Yg0KVuc64Wcv1lOYgD1iFQaO
                    MD5:4E416C0A81288B4DEFBAC14A5785EAE6
                    SHA1:5D92D26A4C5073A651C5CCE08E6A3D5516C8D537
                    SHA-256:5317BD53291411D11847CE6EBC1AEEC70A555D127AB7E01A211E0C2074F3C092
                    SHA-512:875BC89076E66A646F2CAE9235D48AE91A8F618BE1F4424DD0DCB9E91CE00E3F8A709423FBB2C9A84B5E83AD0708DE0BB2566F5907B1B79CE5C50FA9D71A918B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....>.................................Y.............................. ..U............0..|............................ ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...|....0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1599880
                    Entropy (8bit):3.1248388271890373
                    Encrypted:false
                    SSDEEP:6144:RgZP/7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEuENhHzuFTo:mC0KVuc64Wcv1lOYgD1iFoo
                    MD5:8460CA535372A5035C96A438406DE641
                    SHA1:A0430245BD22F6DE2397DF0AB1B62FA63FD21F45
                    SHA-256:45EE8DA08B6F8E3019D50A5FDCDCE13687E63ADAEE41396849BE6957C7622721
                    SHA-512:344B97242E04ACB8B032774197B6E6D0FF7334106898EF91487F1D766CDFCE528CA8FC4A37997C97B46CA6DC747F30BCA989FAD21CB57A8F38A03B5466131621
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........0............... .....?.........................P......*............................... ..U............0..P............P.......@....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...P....0.......0..............@..@.reloc.......@.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1608072
                    Entropy (8bit):3.134895652665869
                    Encrypted:false
                    SSDEEP:6144:IgD7RJ7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEuwVIr0WCEwEJI5:FQ0KVuc64Wcv1lOYgD1iFfo05
                    MD5:7569C9428EB0718FDDE56AC068FED0BD
                    SHA1:BF88CB37505FBFA47286B61B17378CF45FD69D98
                    SHA-256:D46F589923CAAE6135B7AC855B46889F0EDA96CE55E70D3C8A376824C28687DE
                    SHA-512:E9201091A0BBC1B0EFDB986275C9B7B265B340940623888C920823D99C44554666D985B85BD6367B6048DC11AFD9E0785046AB6461C3A0843BB6E5C362E267A1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........P............... ....J?.........................p...................................... ..U............0...-...........p.......`....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....-...0...0...0..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1595784
                    Entropy (8bit):3.124018214383175
                    Encrypted:false
                    SSDEEP:6144:4gb27At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEur8WiBT9:190KVuc64Wcv1lOYgD1iFv9
                    MD5:F7ED87CCC5DA4E8F8F81F165DAE31A6F
                    SHA1:E59628ED8B5D80658A36CF79178BAEFF472067BC
                    SHA-256:7C1F9505A6DBC8187C8E8D9C762A9D31BD2D14E28B86F3ED6A5B24AB95EB5BD5
                    SHA-512:C3C1EC816BE167C8DDA732A29193630AC1FC385D29EB02249E1EAA214EC50333FBD6D5950E03FC7DA6FDF50ED4799DA08A3EAE2ED4C5DFC3A736ABDFC77DC28C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......... ............... .....@.........................@.......V.............................. ..U............0..|............@.......0....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...|....0.......0..............@..@.reloc.......0.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1497480
                    Entropy (8bit):3.266038956928058
                    Encrypted:false
                    SSDEEP:6144:2gcD7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEujREfNUvefikwokoBjoBpoBd3Kb:Pr0KVuc64Wcv1lOYgD1iF2Lneqj
                    MD5:338D0A07524D4A9C5AA9AF2E25F1C2D4
                    SHA1:56093E0E0DC758A8EA41DBC674B6C0A232106095
                    SHA-256:95115F729D51B06555E52D1C58BAD674390DAC1E1A99A53EA38FB71AB783D234
                    SHA-512:C43D73A61946476D59C355FD062352B9E36895C2713B748174213745E56EA5AAF76B1679D2077C19528E4DC224CF263767B9C76B98A6F9ABADD258C6385A92D1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@.................................|].............................. ..U............0.. u........................... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc... u...0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1575304
                    Entropy (8bit):3.1264222489068447
                    Encrypted:false
                    SSDEEP:6144:pgX5p7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEuATVVJbzWcefd:Op20KVuc64Wcv1lOYgD1iFCcefd
                    MD5:84567FC270A5A61963516C055E0961E5
                    SHA1:C84658BFEEEA105B2C92E9AB8202F96E994EC9DB
                    SHA-256:CB1E040799C63DC9F01CAD1E78B407C705CEAC9E8E6FE7FE6C04901F5EFB8243
                    SHA-512:D52E654BB19336B6138EFC95259DC20316228333678CA0EF7A87826A0B72FEA0A7563FB9A6FFDC72FC6B9BA32BE08EA242F5AB317DD6C1ADC65C98DFC5C7425C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@................................................................. ..U............0..P............................ ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...P....0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1595784
                    Entropy (8bit):3.169946401365412
                    Encrypted:false
                    SSDEEP:6144:RggTQ7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEuKViEs2t2R5BY118:m80KVuc64Wcv1lOYgD1iFz18
                    MD5:4C3330C21036F12F4D58D0D337EC9005
                    SHA1:4FCC4A24FC6F608A2199D2F57901B940BD59751A
                    SHA-256:0CAF4C4C4DF25C982176FB1430265F4C5DA176909D85BCF342B0CEBFEE7DC430
                    SHA-512:397E37BF3E46062306E7A85F5CB687D85FDDE02DC191129A82CAD55B5C062E14E69513BDC950467A7571838FE180D47768B314567F7C64CD816D0D3E4A9F34B3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......... ............... ....@..........................@...................................... ..U............0...............@.......0....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc........0.......0..............@..@.reloc.......0.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1579400
                    Entropy (8bit):3.127805324699453
                    Encrypted:false
                    SSDEEP:6144:UggS7At0KVhzMc64W/9CFCm3v1lOYgD1i3mJEunfye4xV:x60KVuc64Wcv1lOYgD1iF1e4H
                    MD5:5BBC84C0875C5A0B0A0094F824B0DC26
                    SHA1:758E6E545BA1A6B3D4972ECF2633A5539E158375
                    SHA-256:F3DFA36BAEB8AE6BB6D6563E7E9560CCD4DF210C389DC7E9DED2AA0D2915FBAC
                    SHA-512:6EF55FA81F174683B359C8C468253F8E62C16DDCA974D619CED423C018BB3BC521E64529B54F2FE52992BC6F1CEE170DB2BCDCCDFB865E853247A2D46140A41C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....F................................................................ ..U............0............................... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc........0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1747328
                    Entropy (8bit):6.613729393712619
                    Encrypted:false
                    SSDEEP:49152:ssql6UvcVff+RGqAGkJYcmIfTJ0N4xu0U9REb3IP:fql6UvwfGIqAjJh0N4M0Q
                    MD5:322542D52C9C4B0131A983E359607C34
                    SHA1:73B71ACD27FDD7456D0F8C9557A8EE515FE79696
                    SHA-256:6FB3051C92E9F54646B18118AF2D79B05EADC44171EE5875AE854DB39A88D373
                    SHA-512:E9B95616CE602FF722BC75C92EBCE69F8D97AA746D352457B53B1F838FEFC667C26C3459610782AF6EB37C10B58697FB68BCA1F89FB5C888AC1E1F96C9362CEB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..W...................................Y.......[.......Y.......Y.......Y.......Y.......Y.......Y......Rich....................PE..L.....S...........!..............................$..........................<.....,.......................................Hz..,....07.\3...................p9.....pH..............................H...@...............D............................text...j........................... ..`.rdata..1...........................@..@.data....g".........................@....rsrc...\3...07..@..................@..@.reloc..N....p9.....................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.795361501215913
                    Encrypted:false
                    SSDEEP:1536:8QDtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OBMd4pQ:9fPUCWOncV/0B9G49dSqd4p3Je
                    MD5:CD53F550BBEEF3080228BEB9BFF938FA
                    SHA1:7017D5FE02C5123CEFA3D95C7104D726C5AE0D04
                    SHA-256:7DF03D1C8D7A15104A58CE62A34081C3ED84CE438818F33D9AC8B293FDC5F6EC
                    SHA-512:27B9A64ED11ABF3310489757CB685BD1BB9F9013562CEBD0ADEFC455F6291C79AA3B84511BE86E0FBD1070539A6964DA5D80A8248D00976E62ABAD4EE60F7E0B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........`............... .....$................................t?.............................. ..S............0.. 1...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc... 1...0...@...0..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.755916908023931
                    Encrypted:false
                    SSDEEP:1536:WDtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OB1Wu2q0:WfPUCWOncV/0B9G49dSeunQJd
                    MD5:3AA6C8E023F790EEDABDD70130778CCD
                    SHA1:E87997E50FFD84AA530A19A194B63C09EBCB9F6F
                    SHA-256:DB051710DBF53341A2A70A709D7039BC7413A89D75892B2A4ECD915643FADD0A
                    SHA-512:23AA16F627452A23F094779F5246556C0EFF834C542EC2324684B87A80FBFD0AF85502B2E99A69DE18C8651375986E3EE10660A9A83EE9C8CEFF61E62FFD27B4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........`............... .....$................................45.............................. ..S............0..p2...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...p2...0...@...0..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.699071587075286
                    Encrypted:false
                    SSDEEP:1536:5SDtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OBQPzYU:cfPUCWOncV/0B9G49dSyPkqJ/
                    MD5:D33937E6C4C672555E9BD125865617B4
                    SHA1:92B99A877D3FCFF23AEB028B3BAC493B1AFD41D0
                    SHA-256:40A7109BA05DB41AD13E746975A87C90DE1A55650DC3006160281E819AB86742
                    SHA-512:3A5D8ECE7F0665756AC475CB15D5C46F7959DE13341E4CE1C13E77A3B775644745C5FDF06BCCB9E4251EB5859822513C0F48E3EB7A90B7A064FC911981B3CC21
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........`............... .....$................................7F.............................. ..S............0..h;...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...h;...0...@...0..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):162176
                    Entropy (8bit):4.893832263331995
                    Encrypted:false
                    SSDEEP:1536:1Dtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OBov9eiB:1fPUCWOncV/0B9G49dSSvEEJlL
                    MD5:779E61AEA99E9D6C62866EE4B7C9496D
                    SHA1:23272D235849F4EEBB39C8E408DFC8CE54966B31
                    SHA-256:B7E8239AFAE257D3509EF621FF83E310E0FB512B190C59737E6F9487153B4664
                    SHA-512:928CFDBF3C86B66F085FF075DD9F2302BD459E5B71F821FE11F9F47F3E5B0FAB1132FB77886E039B9CE1CBE7AFD2AFD02D3A04B204F53857FA13AA9AC5A5BD68
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........@............... .....$.........................`......%............................... ..S............0..P............`.......P....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...P....0... ...0..............@..@.reloc.......P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.958741119741529
                    Encrypted:false
                    SSDEEP:1536:ADtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OBvGKkmR:AfPUCWOncV/0B9G49dSlGKkmrAJ8
                    MD5:8AD5F508BDC16538DE7359961D3BB9AA
                    SHA1:A6CD86C34D53AFB4C7EE6A983946635130631B8D
                    SHA-256:82B3D3A3C8F6D5F348114DB21D3D77C8A0CE0BCC34E4B8DEEA4D6D2E1079429D
                    SHA-512:28C452133554A01E8D8558B0C4D8F417264D771F11740B2047F3469FACCA1E3E7CE2995CAA4B7CC685A3F2C07BB6852B6A5806D6A0C7CF7332E3A13B3655799E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........`............... .....$.................................+.............................. ..S............0...>...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc....>...0...@...0..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crqe_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):5.012126934394762
                    Encrypted:false
                    SSDEEP:1536:CDtq6PmreMWvnWNF1iPgr0jcV/0oi9G4EgdRXEFC9EA5myPKE2ppXC48OBKMeYQB:CfPUCWOncV/0B9G49dSlkvJ9
                    MD5:E0B874AAA45AFDD21F713FE903722FA7
                    SHA1:06F4F403F6A31C8CD2768FFBF8974E984A001E5B
                    SHA-256:D38BC82FA2D414030897A2EDA2627D1CB19EBE6064A2250142AA3646893D5E06
                    SHA-512:EDFDB48B5A8C2CE7C537495F7CE41CD0897EC00BEA9ED3E850C5A4E0147F856EA9759A52F3D275DE8233A28F582B66E3E029E0E34BBCB534F0F96AE21C10AEB7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........`............... .....$................................7'.............................. ..S............0..<1...................p....... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...<1...0...@...0..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15272
                    Entropy (8bit):5.579436805776357
                    Encrypted:false
                    SSDEEP:192:ehY/rs5Y7jOikLEU9nnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rAOi1:GSIikLEqnnYPLxsSJeeM
                    MD5:E3790A890986106B8875AB4DF8051D4F
                    SHA1:B94986E1281CD69171375677ADE9BAA73FFD5F54
                    SHA-256:B0E11C52F24E71ADAE71C54D1914FEC3AD90341B063156D8AFFC87CC0872E8EF
                    SHA-512:A21E41AA7C77ADD3F42AF4E384AF3F0C6D469CCAD5D238BA9B9AF52A0B71B3AC0654D228CA662EAE8F7B789C3494883AEEFD4765E32FB6BCC7629A93A9103545
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...N.S...........!......................... ....@..........................`...................................... ..X............0...............".......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15784
                    Entropy (8bit):5.615530416171552
                    Encrypted:false
                    SSDEEP:192:nYjksYgrtzaEEclSkLEU96nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rzwWC:YDRNdlSkLEq6nYPLxsSJeeMi
                    MD5:B3C8356C3EB0E51F743A12BD48D2417D
                    SHA1:70B48887B11EC3EEEF9CB507932CF44E509385ED
                    SHA-256:4FBC447552D9FCA92D27BFDAFF98072AFBFA2D0434FE2AE596C359E909C5C5BA
                    SHA-512:C38D5B87BCBB442F502AE9352A81A029A7D60D3DFC3B0D39DBD3FBF85428E0B7F659A0F13BD3526C96D0B15DB6582685A4D732ACF2F06B1154001976F5502412
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...9.S...........!......................... ....@..........................`...................................... ..X............0..4............$.......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15272
                    Entropy (8bit):5.586127104776063
                    Encrypted:false
                    SSDEEP:192:BKUui5N45rFSe9g5kLEU9XnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rm1I:BKUui5N8T4kLEqXnYPLxsSJeeMb
                    MD5:D093323A730C302BD2D0AAFB4221FCBE
                    SHA1:411840111A38182433D4EFB3AE90A74D7A3A8264
                    SHA-256:5F739C7DDA3766DA554894D72D48923E982A9E5F6F9A19E8496C25A1146143C7
                    SHA-512:C8006EAF89213B49A7EEBA4EC1147BA3591570BC90F6EABDDF9C890D8C0D77B24C0401B3761D3726EF42D02AA90941C1E6A07F6072FCC1274CD35EF0D50C205B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...Z.S...........!......................... ....@..........................`.......Z.............................. ..X............0...............".......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15272
                    Entropy (8bit):5.589082144576404
                    Encrypted:false
                    SSDEEP:192:MArRgF6rpYzjGg/8yHgGPkLEU9xnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4roZwi:RrRCACOmxkLEqxnYPLxsSJeeMX
                    MD5:E37FDB1C80E4CAFCAE8C82D448816284
                    SHA1:F6DBD09CD94DEAEB4AB5B8E0909371D64D6D8BD9
                    SHA-256:E8E8E02E6E8A964B3EAAFFBBECBF4FCEE5EA7A4BC95E39B4D389D299ED70E43B
                    SHA-512:7E08D2008A4CFB368B04CDCABD73533610EEE542D1283772AF0A729334089E7D62221B2CB49A0EC3CAEEFD9708B82CA2FCACB7A530EE1A7A3C1C83E862DDA178
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...,.S...........!......................... ....CH.........................`......O............................... ..X............0...............".......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14760
                    Entropy (8bit):5.916102104211119
                    Encrypted:false
                    SSDEEP:192:nzZNDar/PQ6HdDv/iB5cW6kLEU99nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rE6K:nFN0nvhivR6kLEq9nYPLxsSJeeM6K
                    MD5:D16A4860CC84B88CD5F6F179694DD965
                    SHA1:0E83EDF8DD27C786DCEAA7D8F35837D41BE06E97
                    SHA-256:C740F2566D2B224BE758BA438276AE66585EC351B54F038C037BA00C502CD000
                    SHA-512:E880636256E1D1393A4C19831C5D646D24BCA76375BD5C52F96886E087D23946DF42C527F791D760F7395A761251E116262DF73971AE2CBAF131B9D1AD7983B7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...I.S...........!......................... ....@..........................`.......n.............................. ..X............0............... .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13736
                    Entropy (8bit):6.042270725915314
                    Encrypted:false
                    SSDEEP:192:mOrlkkmkLEU9VnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rIc:zbmkLEqVnYPLxsSJeeMv
                    MD5:CE8C36FCF9009D943FE93C95393F1DF1
                    SHA1:AA01D69A6BEB55271DB5BB116DCFC137E3A24221
                    SHA-256:D9013823AB77319D80D1E550140C91F95354E9C222915B5CC68FC5D9E1B8707B
                    SHA-512:73E36D845326240FF7F07E750C7A0C73276AE414E91FC3EE8D84793EA1DAE96FD15E013DB02CACF8A59C0CE91F57654902003EB97B3EE17DE681EF9D51F6F0DD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......,'.............................. ..[............0..(....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...(....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_html_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13736
                    Entropy (8bit):6.0465996414037715
                    Encrypted:false
                    SSDEEP:192:4VdrO+rYkLEU9XnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rXA+6:4rXckLEqXnYPLxsSJeeMB+
                    MD5:1CFDE6C81C913FDB909FAB69FDAAC420
                    SHA1:555DE04E8542405861D2183EE5AA6BC666C3909F
                    SHA-256:14E3195881C3F3274EFCCF111BE3AAE3E8908708FA890DD648A29A8C841C3137
                    SHA-512:B6144998FA54D764FD7B9FF9E76CFA8FFA553E781C98AE14CFAC649A153FB2F382292F32FFFB0025A1E1CE852F013213164C7DA1B6C0EC4C322ABAD89464F540
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...$.S...........!......................... ....@..........................`......;s.............................. ..[............0..,....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.743409284075921
                    Encrypted:false
                    SSDEEP:192:eH/7b649Dy7UEA2LnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rqJ1T:eHt9O7UEA2LnYPLxsSJeeM9rT
                    MD5:ED7F5F3E21681CB4F6C642D3944AC9F5
                    SHA1:A7219BDBFAE88C5A6D3E1C6FEA39F741DBFEE1C6
                    SHA-256:3DE382FBC78A415F7B068338AE0CB955412168FF8B9AB8E26CE93815534916E3
                    SHA-512:87F94F98D5CD9F549BA9459B35FFDEF106CCC0C476FE29D3C838B8144A76E0F23D82B99C3FE3FD45C336BCB7C3B3E5A04C90F2FF705700EDEE496CF6D3A437AC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...#.S...........!......................... ....@..........................`.......v.............................. ..W............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.631402544617445
                    Encrypted:false
                    SSDEEP:192:A3HYI807UEAWhnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rLjZ:YHR7UEAWhnYPLxsSJeeMwd
                    MD5:BF5EAB41180E5136AB814A1D07A737D8
                    SHA1:CEBA8CB4D1BB233D6C0CE8F65CC50A5131DF861F
                    SHA-256:1BDEEC3215E022F96C154A18A8CF2370C475A6737CA9DFDCEB70C6A1A37AB1EB
                    SHA-512:57DDD23CA807D243850924EC65E10FE28C58EA73939EC3211B5B406AF413CAEA2652CD9B63F2C1278183D7605176AD0655BEAC49181B322E327343DA793C0B8F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..W............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.7176721830636685
                    Encrypted:false
                    SSDEEP:192:t2TI6mwsXuASJP7UEAbonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r2cb117:t2xp7UEAbonYPLxsSJeeMdchB
                    MD5:FE862E6484A39A98019848BCF9399A82
                    SHA1:FDE13A11913320F034E531CEEBB62583AA19F065
                    SHA-256:A7B67E6BCC4591632ACDB197AC1C3940E3CE09E6ECC49492A413F1801D6881D5
                    SHA-512:E414526582C52B204415F77842C72D52F33038A0C32B29B584A88677F33435D09196C620B3F719C5C99926C4484AE8BD2796ED10FB3287857D29EE27B9BCF09B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......b............................... ..W............0..l....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13216
                    Entropy (8bit):6.111874960977591
                    Encrypted:false
                    SSDEEP:192:Y3T0wqd45p977UEAsEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rehSb8:Y3Tjqd45p977UEAsEnYPLxsSJeeMrV
                    MD5:4E7574D8FA90C189B39B8AB34406E7D1
                    SHA1:E0E3E447C42E24BEBA80B37DEE9346EFD6FE32BE
                    SHA-256:32B473DEAE653ED1EC1D86518C8D793677E87C1738ECC2548A1B3ECBE5DA03D1
                    SHA-512:D748308F82E510C8E4CFE31B717BDE88D3548C855377C68D023A5A20749DE4E23EA4C30DBABFB63028E25896F331F445BDE780428131A0BE9199BD2FBB802192
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....p9.........................P...................................... ..W............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.925331451388795
                    Encrypted:false
                    SSDEEP:192:EaWSpK7UEAv/nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rdk30UJ:EGpK7UEAv/nYPLxsSJeeMkoJ
                    MD5:C8091244F5159F3A7B61B843EA35DF53
                    SHA1:5CE0549E128A4E4130478345023DED84D2544D03
                    SHA-256:BDA828DCE0A5A073AC64272C56FA3EF4498B4359437E76E240E63ACEB84586E0
                    SHA-512:A12974A76D41FBA7E515899E89BA6A16D20EB28644A6D4B474767D556128D22E186FEEBB7839587EC74E576C3E79C06BA0BD9AF67819C1B3744B1DDB55E66BBF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..W............0..H....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...H....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.739264313535579
                    Encrypted:false
                    SSDEEP:192:acWqLHNsX97UEANonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r/UehWmn:acJLHNsX97UEANonYPLxsSJeeMe
                    MD5:B4D462C24088401F6B41F5AA0601B299
                    SHA1:9A8354710772CD237485CAC0AC63638E81BAE198
                    SHA-256:368E98AAD8FA35A0C56E7D6BEE8D7860EDA6FE3CC9A631BFE72E27FD9D667F66
                    SHA-512:BAC7DAF2BF2851FB800638DDEEE3F250713711ECA84620F1441AB00C1BCF09064BB6D93FD0C95A24B501EF6D4D26C2030E846987E6EB0443C4644481828E39FB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?.S...........!......................... ....@..........................`.......L.............................. ..W............0..|....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.681511861931259
                    Encrypted:false
                    SSDEEP:192:nbqLL/SlBaze7UEArEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rBQnL4qfY:nbqLg7UEArEnYPLxsSJeeMnnMqg
                    MD5:AD2456E872016083091DB34FF1CBBA32
                    SHA1:AEAEBE5DA71BF20F486818305FDFD87700DEC567
                    SHA-256:33DF89146D614560FA2B6106565A691F70DA352AA52C8574F8525763B3FAAD58
                    SHA-512:AD13C706BF59557D5C7CD04E4B342864391D25DBF0909C0F4C1D5114E51F9902D5473266DECA228A9C002309A95021A86E986CE1DD76A6B175171F74F477A07B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....H.........................`......8;.............................. ..W............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13728
                    Entropy (8bit):5.979007064959007
                    Encrypted:false
                    SSDEEP:192:XIpIBIPdm/c2uBr7UEACWnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r250Wbn:XIp8I2Yr7UEACWnYPLxsSJeeMT00n
                    MD5:04833AC8B9FB27F8BC0F42BF4274BD43
                    SHA1:7326A75094A0C6183CC2B60D10BAF70B8FE887B0
                    SHA-256:34EC483C223688E0A9DAF5CFD0D5CC35CC6AB86759161FAA0EACB0CF79101C3E
                    SHA-512:F1BB721A65110EA0C1B09512AC60B5CA525E1FC24F4252F9FEB88E77150A8325EE798AEC8A8673FEEFBA17CF78F6E81FBE14A681F9EAEE456014C83AA2C9DE7B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..W............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_pdf_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14240
                    Entropy (8bit):5.728599213184283
                    Encrypted:false
                    SSDEEP:192:/v8+/GkpuiGoxzd5NFJmrg8zRn7UEA/EnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMh:B4iGox7NFcB7UEA/EnYPLxsSJeeMtz3
                    MD5:68F2B79636827C57C26EAE2D38DB4C7E
                    SHA1:5F937BA60CD68EA67DD3C2EF97050027CCB6793D
                    SHA-256:70AED37A009B769AB8C5587C7AF14B1257DEADFF36A565DE8951B8E87C526FF2
                    SHA-512:B98337A6FA81E2952D9890F836ACF9BAAC13C8F112ABEB833C694F45C5E9FCB82E0B9F793BD8CD576EC0A6FFA98BE71137B966EF48D361FC4767C822E8B85C11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...H.S...........!......................... ....@..........................`...................................... ..W............0.......................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):530848
                    Entropy (8bit):6.433448542294893
                    Encrypted:false
                    SSDEEP:12288:C7wzODZKDJE7V4xXDpNboRD7rD2eOf3gUz8VJTxl6w6dYZnm2:CYtoREf3gUo6dYZm2
                    MD5:49E4FD9A80C857F407C2871B236672EF
                    SHA1:98EBBCBC0A9ACC84A570245D54994DCAF38EEFA6
                    SHA-256:EBF7685C72DA5D94E316A3CA7097F06CF65E5EA349B93E8137956B4DEDBBB3D7
                    SHA-512:958EACCD11193DC4671046EBE3D9ECAEB0EE2DB9020C9D317EF2831C61468E3E9AC293B9B2C80B5F8DFB96ABC9DDE62ED03D47D4685DFD322261696D4B21ABEA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&..}b.z.b.z.b.z..I..`.z.EK..g.z...'.n.z.EK..k.z.b.{.u.z.....c.z.EK..A.z.EK..W.z.EK..c.z.EK..c.z.EK..c.z.Richb.z.........PE..L.....S...........!.....p...........I............`>................................0................................z.......d..........t........................>..................................h...@............................................text....f.......p.................. ..`.rdata..............................@..@.data...t...........................@....rsrc...t........ ..................@..@.reloc...?.......@..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.572427947638368
                    Encrypted:false
                    SSDEEP:384:bbpVGlJMvVGlxzUEkInYPLxsSJeeMxgeR:bbe7MEMUs5J69
                    MD5:67EAE1EBFC9E3618A28ABCAE877D7BC3
                    SHA1:DA0EA48A6630371595343BA62229F2CE91317757
                    SHA-256:271DE53EAF4FDB635589810D2458DA3B7C0CE54721D3C4E67A1C1902B6C8FE5F
                    SHA-512:519CD869F62770C27FDCE563EFDF1518647D4678022802F6B4B3E8230F08E9CA38DA35FE480A1D817B379AB061675CC705C70795D91DD1032A5DB37AE23626EB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......*............................... ..W............0..p............ .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...p....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.586855600787045
                    Encrypted:false
                    SSDEEP:192:ZRM5j4NzUEH/KunYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rLr6s3/h0:ZQszUECunYPLxsSJeeM4E
                    MD5:C946F1935AC5CAC35AE911C83AD7649A
                    SHA1:883FDD0C594B0040B97D3D71DF51CE0812CA0826
                    SHA-256:C74A57F5DE068E896151C844C066CF6D04AF472B618016D4E2589ECDB665AECD
                    SHA-512:C4FDB5C6D94C8EB23C86E5EA3C19329E41540626D9DDCF1940814A57DCA1F0DFF6B77B9CCE89FC047E783B567B0A7AA411BD2FE2ADDC383B0169021ABF255568
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..W............0............... .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.5057777746677
                    Encrypted:false
                    SSDEEP:192:geMK4QzUEH/IOnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rtUeHC:gc4QzUEAOnYPLxsSJeeML
                    MD5:A31E0C9BA73C9D6DB7E642165AB055AA
                    SHA1:B3E5D2EBDA675038CFEF6DEEE1815A0E4C3E5DF7
                    SHA-256:48425E69304F9F21A2C1DCC2388E9649FB1289114EA25C1D5B3EF7018C6E044E
                    SHA-512:75C43058F7C4204ABB7333CDF5BBF3F458528B758A83FB768E91C3D3412B88AEB06EC84E8271881A4FFFD955471DAB8E682EEBBD64A732F2A736384B9C2CFCCC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....]A.........................`.......".............................. ..W............0............... .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.588321865116122
                    Encrypted:false
                    SSDEEP:192:aiMSOJCmzUEH/MmnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rU3AL:acOJCmzUEkmnYPLxsSJeeMYL
                    MD5:EE5EBF7EF238D52E76B5E379089441C9
                    SHA1:37C2B51F64C93FDA442CA6455F2A704D449DED78
                    SHA-256:50C489A83B0B1334B599B80D1BFC10853CE3D0EE49BF9AD06F46386D79760AFC
                    SHA-512:52F64A1010EB3EB3EE3E310723B80CF117F82C53A1809BDC03AC56B771A7B4F178413E2237E9CE72506E1B82C18254BF36722048BEED43674791028706ECC82A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....2B.........................`.......).............................. ..W............0..t............ .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...t....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.580944729576841
                    Encrypted:false
                    SSDEEP:192:RGMPeGYZaG3L11WrPpCw3LhzUEH/8fnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rc:RJkt3LmrPd3LhzUEUfnYPLxsSJeeM3D
                    MD5:3ED75C4B3A2EFFDCC11C00548181D3EB
                    SHA1:01C4E22F5B84CE5E75287A2BD7EA0F1512DF9B27
                    SHA-256:BB01A942E8223AD918EC7B7353B12536F5C174055437725E8AD109E06315F122
                    SHA-512:0156C332EB1B7C26885334196B108BEE21D43ADC5E189BE3E9455558D06E7030D749D3CA38207FEADC8B22D0A8F00D91D1E73DDA0AFAD003C20C7DFC007AE444
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...G.S...........!......................... ....@..........................`......O8.............................. ..W............0............... .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15264
                    Entropy (8bit):5.602087979747982
                    Encrypted:false
                    SSDEEP:192:q0MNnmlfs0YH3GVC0kur0YozUEH/aKnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r8:qtmlvO6CPVzzUESKnYPLxsSJeeM4Q
                    MD5:287F3DB0ADCA5CC2504075AE03E61A23
                    SHA1:A35AA863BA381D40AE9A0C4A7100A8CE20AEAD35
                    SHA-256:CAE8E88CFA7A769BFEBA390D1347D6823101067C2C67D1625F9ACB218BB5C754
                    SHA-512:5B938A9164D1CEF9EBD4DF3045D66D6C866543233245497E5F01102E1C82A0572425D611087A699CFE8CCC56B8C4A6DB4ED2380A85387F8B8005255EE757E068
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..W............0.. ............".......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc... ....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13728
                    Entropy (8bit):5.976804466810924
                    Encrypted:false
                    SSDEEP:192:h8tMjRKXaiahzUEH/zUnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rfXhsy1Sw:h8YRKIzUELUnYPLxsSJeeMoXhDb
                    MD5:0BD8F50EF8F2AA2F728978AE1D8A99C9
                    SHA1:EBE711C7B39AA8E7111D4D9BEA642E66EACD2E00
                    SHA-256:B618C34A5A68779BC1AE22AF6CA87263B4C29DAA83C8762592A512323364B5D9
                    SHA-512:7698669FCFEE226074E3D360413B16AE7EF788AF3A42F86757E11AC6E71DAD2FD3E3E8749406C2C0F30AA9DE13832DDD327D58603B3C81F0763A70327F480592
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...+.S...........!......................... ....@..........................`......T............................... ..W............0..l....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.502233222498428
                    Encrypted:false
                    SSDEEP:384:56Xwom8u2QIi5ttqOzUEaTnYPLxsSJeeMeH:xQC5oZs5Jr
                    MD5:D3ED5C189C52EB6D96E0677CFB95220B
                    SHA1:4B26A32BCA360498993D9018F813FDCC1AFF6BA4
                    SHA-256:1997FE5BF72B1EFE684C1072D04A522690A5A14601D9BB495D7215E1AC1CAEF2
                    SHA-512:192905B96DC331F3095449F5C30A56E759F23870C78ABA6C4A7364A2328A0F316D20DD27B5B68EF72F7D69F383F25C8D5DFAF0D7F84972C9140DF4E2FCD3C9BB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....U:.........................`......x............................... ..W............0............... .......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_rtf_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13216
                    Entropy (8bit):5.953496259604439
                    Encrypted:false
                    SSDEEP:192:0GqMZ68f8+UzUEH/+w6nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4rGedGU:0GzLnUzUE2w6nYPLxsSJeeMm
                    MD5:C455E8A0C05A4B42BED4659A32B45F05
                    SHA1:A35AFA61AB4386E04033F60CBB5A7B03CF35BCD5
                    SHA-256:4C49487C9AA18DF6A045683B86FABC0250136162D2C9B4254D171BD65940177E
                    SHA-512:29ED547509059C28D77FB76044EBD57D15CF1AA2FDEEBE34AD077B3E3FB7F58228F2BD04ECEA00E91C24ADF9C51B0738277ADBB2FFD076DB76E9AACB813EC05C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......r.............................. ..Z............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.544854189294014
                    Encrypted:false
                    SSDEEP:192:pMTRM5j46zUEH/hsnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r8m9+x:pMTQnzUEJsnYPLxsSJeeM/Zx
                    MD5:973A66EFD584023F87D2D462E4F86579
                    SHA1:97EF11A88FCC91D848525B2CFECEC6805A179EB4
                    SHA-256:0AA516F9E00177639C30CBD94DAC09F74ADD905AA61BE51919C69508DBE92B3F
                    SHA-512:A897E9D1DA94D7CDB9DEC659B1430C38005BFD90523E21E908FA57A0BF805B2B324C7B7AD121DF48CA26BB5346BAF0F77D07F372B950DAFCA4E9B45BC478E10F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......j................................ ..Y............0............... .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.546695012993191
                    Encrypted:false
                    SSDEEP:192:Hh3iMSOJCRzUEH/z8nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r+g5hWV:Hh3cOJCRzUEL8nYPLxsSJeeMDoo
                    MD5:7282A2EC6061E44DE8C07FC5B113AAAC
                    SHA1:70B4D2F09C0616C2C48B1B1B1B3CAB3C57E1F022
                    SHA-256:DD0C3BC3EA42906EB013F46BC18EDBE76563695A05BCB94524A2E3250AA37C0C
                    SHA-512:4B0177D447577A8DDE9A5D5DCA0EEEDC2600F0DA117C18C8F525F5E5343BF687FE38C4D1A09983F66D6CE1AF979DC51DAA280718949C008B7D3C76601CB31321
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......l................................ ..Y............0..l............ .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc...l....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.5442961176300924
                    Encrypted:false
                    SSDEEP:192:QNZVl1FoarMPL0kfqzUEH/hnnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r5kkHiT1:QNZVl1FoaMolzUEJnnYPLxsSJeeMQbiR
                    MD5:B09DDBEA7AC61D702B0043DE8B5833F8
                    SHA1:B933251C98FD8F6E531E4E1629CEF79268175774
                    SHA-256:5555BEC500B3234A6968B830ED1A3C481911F8C2D72CAB20CE4E894AE9F20907
                    SHA-512:2DA457B4CB687B5B3947B003EEA15462FCF80E13ED3EF85F7B2001DBE97EDB6C5A48EB63C7BEB261604507B83D90C9D8632850E682427661475E5014FBA73D8F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...A.S...........!......................... ....@..........................`....................................... ..Y............0............... .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.459618018207968
                    Encrypted:false
                    SSDEEP:384:birom8u2QIi5ttqZzUExhnYPLxsSJeeMgI:OrQC556s5Ja
                    MD5:C2A7BF840C68BCB3D34980F67B7BA6EB
                    SHA1:C266510FE7EF714B80C61A6263BAD7D6FAE55D65
                    SHA-256:2F8C2BFCCD30DB719FEE1DB02020F64A08BEE54139E7C142824CCE4DB0006B2F
                    SHA-512:675CEC5C3492619952E78D7F2DCFF853503D31793459E706404DE97D256494DA8F9C682D2EBB86D365FCEFD017FAF11F1400C97ABF3AA46601CF68815F68F7BF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......D................................ ..Y............0............... .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15264
                    Entropy (8bit):5.791799691314898
                    Encrypted:false
                    SSDEEP:192:FCfMMmYOCT+OCvzUEH/O9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM4r96M/n:FCfGaTQvzUEG9nYPLxsSJeeMxMv
                    MD5:EBA9CA8550797F66AED5B6E9F76DA2C0
                    SHA1:9A7EE88C2766232FE21F80CEB11C830654308D32
                    SHA-256:826389EBAC03383E4301B4B5635536BD3B02BFE03620E5CE0640445A450955AF
                    SHA-512:5F7362D313D24121360F0AAAE078713A7F83B81364E588AFDB8BBAA93887022DCEF31631E050E94D8ECCE45D6BCBFF98BB0AFFF69F2F547916AF615E18202372
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`....................................... ..Y............0...............".......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_sk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.566885320663914
                    Encrypted:false
                    SSDEEP:384:+ZKzMVWE7g8oVWE7QzUE80nYPLxsSJeeMtZV:SKzDoXuks5Jy7
                    MD5:4EE0B34297C7E0423A17461B3268757C
                    SHA1:294980EAAAE1D891F0CF7BAEF6EC326CA2E82181
                    SHA-256:A539046108CD6A4BA974084FC841D4AB5341A251FCD6A6ACA74469667860C347
                    SHA-512:9FEB25ABFD47E282B57B59E9A613AEE6DA08C3CE8A2ED9B8320F359BA2049B1039633B3B9E95DB29B33DC6155E0BF792F5C0E5761E989A95E70F489E178ECE3A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......3V............................... ..Y............0............... .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_wordw_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14752
                    Entropy (8bit):5.8770789884340555
                    Encrypted:false
                    SSDEEP:384:PPn35mYmtG6O2uzUEZ6nYPLxsSJeeMi23:nn35mYmtG6O2rps5Jt8
                    MD5:4E6BD8474A69489EAA7CE38BC99F1509
                    SHA1:B42C069C906B9BAA3E27ED3CAE70899A6016253B
                    SHA-256:8D48B58183AB9C757FC10BF2280AEBBDDF0440C8B07A306809656CDE51FB337E
                    SHA-512:3173E47E52D9095AC0B51DD40A9B0C2990476685F7BE1EC62805930C77A9DD135EE1FAB874FF0EEC66ABEC458E8D8644AAF38665DD0C549A238A3916DA3B6F03
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...z.S...........!......................... ....@..........................`....................................... ..Y............0............... .......P.......................................................................................text...&........................... ..`.rdata..Y.... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1038760
                    Entropy (8bit):6.396339323775237
                    Encrypted:false
                    SSDEEP:24576:1TjSeJ15SmQAZ7gvZmg9XzPDmpwnQo2f9/cSDS8yxP14VrNiCy6ncyej9R:l335Ag5cnxPfCyDyej9R
                    MD5:FECBCBF9EEBA4679829259F1F78A3125
                    SHA1:060CBCD00F000F8ABADF8F4CD276F780E7876690
                    SHA-256:B07D83838B173E0C9689342BC1C10C9FF10E9F1E247AE5E7C93BEE70DFE6A0D2
                    SHA-512:59C60BC61B5CEFDF668B5B7C82F957655B6FEA0AEB47E5B6E172FED728E95AA87395C326450192FF07934022258977B6A602DD31FB1FCFBA79AE5970EC5CBFC1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................>g.....e.....j......j......e.........e.....e....e.....e.....e.....Rich...........PE..L...f.S...........!................au.............B.................................s..................................T................#...................@.........................................@...............h............................text.............................. ..`.rdata..............................@..@.data...lC.......@..................@....rsrc....#.......0..................@..@.reloc..4....@.......0..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19880
                    Entropy (8bit):5.253501739911477
                    Encrypted:false
                    SSDEEP:384:+aHJeYgPfINgALh2hDgeUEMynYPLxsSJeeMwS2Fgn:FHdgPwNhh2hDuus5Jhu
                    MD5:F89285DD11B5F8FBCF5CFD38AA27439A
                    SHA1:565B2E55AD413E6384C82DBA8AC3E789E4D8775D
                    SHA-256:AF7DA440BF1A8D429412D1D46514A5E70680144D2C6266942733273D1F542187
                    SHA-512:2A07ABB825E525E9AE8C799BE05DB4A1C0955CA3297016442693938C2A882AC686691FD60D13AC7B0E8C2D8F301A38C81994C93809766E191FA15285B8FEE05F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....?.........................p...................................... ..W............0...(...........4.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....(...0...*..................@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19880
                    Entropy (8bit):5.260905197103599
                    Encrypted:false
                    SSDEEP:192:boQgwQ4iemG6cpYy9HDK2DueUEe9SQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAre:b1We5vpYReUEM5nYPLxsSJeeM5bB5
                    MD5:B2FBE965ADEA9635AAB047773E158841
                    SHA1:2C035341A9416642E31847F02B790245CAC4AA3A
                    SHA-256:8A6E2C6EE262812D5AC917F99426AE1470F72C92C3B4697D963A922CA1AA70C0
                    SHA-512:1EA41C93B42130E484F3DF072560B3D6D5E2A84249783382B14B96F02346673D468CCA1032A28D9E65CD5030D9EE2061795A02A8D70473D5868644623C357DEC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....1A.........................p...................................... ..W............0...(...........4.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....(...0...*..................@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19880
                    Entropy (8bit):5.234611276686932
                    Encrypted:false
                    SSDEEP:384:sS/zadwie9cPtDgJPznKvrAcdaQaReUEMQnYPLxsSJeeMHhMzw:hQ0bt5Us5JRw
                    MD5:D3D12AE1F5005CA23379535BEAA481CC
                    SHA1:667F0014D0E5F6570F19CACE4E82E0E87518C75D
                    SHA-256:49198DB80452C6BE09C0D46C14AE32EDEBAE893183E58A6981B4C3AA82ABA35C
                    SHA-512:658270D1E810F9B70328AEB4ED4E6DDF12404CF84801CB6FC08811F2A3F6943D67A0A84E017CF8322E25E158FF062F70F25D6055C9F155D254CEA370E0B29559
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....C.........................p......0T.............................. ..W............0..x(...........4.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x(...0...*..................@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19368
                    Entropy (8bit):5.332108467982508
                    Encrypted:false
                    SSDEEP:384:kKe+svw20JKeUEMnnYPLxsSJeeMUBE6aI:1zJwbs5JvG6aI
                    MD5:D7637AF5442D4DE6D32269D228F78EF7
                    SHA1:F61EBF5A5654AF148FA62FA2FA1C102AFF87C888
                    SHA-256:8A8C252A0D948CA3BBC1234375D45AD10CE97BD912840895747875B5342B1474
                    SHA-512:A721753D45C87AD178F69E7DDBD13B305A4290F102C8B0FA32B33E9586053EE7C71E49BA5A4508BC44BACDD08F35D991267E60A3C5AB4213DC7007DA305C2747
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........,............... ....@..........................p.......o.............................. ..W............0...&...........2.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....&...0...(..................@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19368
                    Entropy (8bit):5.285943081351036
                    Encrypted:false
                    SSDEEP:192:BsNYSUzeWqE0KDF+JEsjKVgEeUEe9GnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr4:2GeNJERuEeUEMGnYPLxsSJeeMaVC7
                    MD5:988FFE062913244FE7A44ABD71895653
                    SHA1:A39FB69FBA781AB8A8FB04FE514BC73EDD262448
                    SHA-256:CF545992A3846AFFE543A4D37674C0A9F5352692DE80C059BE8720B3660405D3
                    SHA-512:C6295C6236C358CCCF0B2FC40E9FF4F193DF9689B31BBF8E0E06C4B0A8AE69AB4C90962E25EFC0AB3328CE780E34374912B5C2421B2E00AB228E8E0108B2F358
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........,............... .....I.........................p...................................... ..W............0...&...........2.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....&...0...(..................@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18344
                    Entropy (8bit):5.769781993222807
                    Encrypted:false
                    SSDEEP:384:kWenadZNCDVIjFCtleKtSmKeUEMinYPLxsSJeeMT:HdGDVIjFCtl3tAes5JQ
                    MD5:61C0FA6E84AB147C8AD85C2C0F4CC782
                    SHA1:15F99AA19B40F63C17C7B4406DD1659BAE40EC53
                    SHA-256:FC76C92D6555C640BAC17439A4C70EFB33F2CD720B9B6D01FE466118DABA49A7
                    SHA-512:4493C1B0390A38EDB1717B991E7E656A8855BA76DB658926B5112E0A71D106E09E77C32E8D3FBAB8284EF3A277A4C439119FB3ADBD00E6865DB2205DC5DCC573
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...4.S...........!.........(............... ....@..........................p......SY.............................. ..W............0..\#...................`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...\#...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18856
                    Entropy (8bit):5.306581318389904
                    Encrypted:false
                    SSDEEP:384:CidVXPIeICwi4Kb68Y+JyG9nn4reUEM6nYPLxsSJeeMlbDk:VbXqCwToY+JyGVn4res5JGk
                    MD5:4386B6236BEF838E8CDBB31DE78B6C5E
                    SHA1:6EA8E5F14355A59055418A0AEB24085E1D1C9163
                    SHA-256:A47C6A4F5DA84DE6818791ED0166A2026F5EE52C182C4419D926220BF5163A1D
                    SHA-512:E017762CBE978A66B49E7D02D48922E1989E9EB4331A124F0B1F488DBF903FB161141F141D195FCD7B24540E442BF5DEECFCB15ED20F81FBB318949C859BAAD0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...P.S...........!.........*............... ....@..........................p......N............................... ..W............0...%...........0.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xls_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15272
                    Entropy (8bit):5.953925108567496
                    Encrypted:false
                    SSDEEP:192:CV+hcIewhe1nfcbNeUEe9CnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAri9qKwr:CVbIep1nEbNeUEMCnYPLxsSJeeMn9VG
                    MD5:B444448CD11A6DD89DF08A666E872E74
                    SHA1:C373703B4D8F8B561D173407273ADF5D223E8B5B
                    SHA-256:B04A35E075023C8C3B707583A3F94B6E2E35090F2DE5D2CFD63887B931A896FE
                    SHA-512:6A24534D849FC5349591C9DB5898EE84DFBD93DEC0E584CCE724C96E6C86C27B9928AE58FE7B489A2EAD593272F57F10DFEC863974F45532E837C80C6F8032A2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......q............................... ..Z............0...............".......P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crxf_xml2.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):211360
                    Entropy (8bit):6.4129142495194085
                    Encrypted:false
                    SSDEEP:3072:MYoqTRKSucoIG1bxo0HvGy8S81vM1FG/0D1ufQ/JrZsZZTYAsODAG5CbXJUt:eItPoPdPGyAM1FG/0DGAmZJYAsODAxUt
                    MD5:F01B2D2A0A4632223C406361E661DE16
                    SHA1:157A363DA6EF85087FCE752FF1370C9EC4C13CC2
                    SHA-256:CFFDE4D8A6003BD65E96B3EADC483CE37D85C31F69853ADB26F55B7C33A26275
                    SHA-512:2CFDA86CA34D77B92A9D2386C26C4B4EECA79ED51CE26E2E567C2DA7874B9BEE3396E48BE20C924E7F5D6879BDD8AFEBF696960DB128E740FDB7E1DC4FC5720E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4..U...U...U..b....U......U..6Z...U..6Z...U......U...U...T......U......U......U......U......U..Rich.U..................PE..L.....S...........!.....@..........Y........P....D<......................... ......\...................................v............... &........... .............. U..............................hi..@............P...............................text....7.......@.................. ..`.rdata..&e...P...p...P..............@..@.data...<...........................@....rsrc... &.......0..................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cryptocme2.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1744896
                    Entropy (8bit):7.282014324970221
                    Encrypted:false
                    SSDEEP:24576:dmL3847a3P8slDdvaB2p+uuJ9fEzq1CJDrwHb/IRTv78vvDuzlQSf:dCgUsfaB28uCf+q1sKIRTD8vav
                    MD5:6EC2FFBF1D237E6912F141F00AF27773
                    SHA1:8F848AFD740EB144D22188D3425336BF6F6949A0
                    SHA-256:23D78F48E5DDB71D9CF2134E2FBE466E97908984674D8B35D87079BFBACEDA6A
                    SHA-512:B99D6775501BDACEE641EC32F7712CD36F4D34218B84696EE393232729C0A2E91CA55DE5D398A76FFD52174937CB3730BB738195712542C4C77D3C10D643585E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............F...F...F.{.F...F.y.F...F.y.F...FA..F...F...F...F.y.F..F.y.F...F.y.F...F.y.F...F.y.F...FRich...F................PE..L...T.@H...........!.....@...P.......G.......P......................................................................@...........x.......X...........................................................................P...............................text....<.......@.................. ..`.rdata.......P.......P..............@..@.data...............................@..._RDATA..p...........................@..._DATA1..-...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cryptocme2.sig

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):1607
                    Entropy (8bit):5.812129168051936
                    Encrypted:false
                    SSDEEP:24:tdHeBhzuFkTflniRLX93EZ5fB+wgn4A7oZ/SdFMHsf2VTVQhD:zHCN7TfIRhER+P4am/SDZ2Vhm
                    MD5:E5AAB90EB02F2FD058879EED9C57549E
                    SHA1:68F232A9233EF447B8703A84D4BBF6C2F3D3C611
                    SHA-256:F2A91749F4852C97F608422F18B4C99D5014CABA8756B6361A482B0A60B5C7EF
                    SHA-512:41C326AB1628E5E9C31ABADEDBA88705125136F40837DDCA5E8F8C7405EEF74472A0C36F7A739E23AFEBC21A9F451C41AB30845F20C07F94BB85EFE692FAEA48
                    Malicious:false
                    Reputation:low
                    Preview:<?rsa version="1.0" encoding="utf-8"?>.<Configuration>..<Product Id="Crypto-C ME">...<Version>CRYPTO-C ME 3.0.0.0</Version>...<ReleaseDate>""</ReleaseDate>...<ExpDate>""</ExpDate>...<Copyright>....Copyright (C) RSA...</Copyright>...<Library Id="master">cryptocme2</Library>..</Product>..<Runtime Id="runtime">...<LoadOrder>....<Library Id="ccme_base">ccme_base</Library>....<Library Id="ccme_ecc">ccme_ecc</Library>....<Library Id="ccme_eccaccel">ccme_eccaccel</Library>....<Library Id="ccme_eccnistaccel">ccme_eccnistaccel</Library>...</LoadOrder>...<StartupConfig>....<SelfTest>OnLoad</SelfTest>...</StartupConfig>..</Runtime>..<Signature URI="#ccme_base" Algorithm="FIPS140_INTEGRITY">MC0CFQCfQoOV8qOkL+D72MNN2RS7OMFpPgIUaj+rGhakXXSx0DiqdnNYOpWYGxQ=</Signature>..<Signature URI="#ccme_ecc" Algorithm="FIPS140_INTEGRITY">MCwCFF0HoREWNyeecg1xpa8P3wFCfv7BAhRGFg1bPW7QX3ar4iazbyngm60ybQ==</Signature>..<Signature URI="#ccme_eccaccel" Algorithm="FIPS140_INTEGRITY">MC0CFD5uNlPxGLXRZJJSMGZC6yCgalGCAhUAj

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.630791174492886
                    Encrypted:false
                    SSDEEP:192:ajRYwic6ZssGb4nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rva7Fc:mRYcasxMnYPLxsSJeeMraS
                    MD5:9A4833E33C52EA7AC65D1AC218129EB7
                    SHA1:8C754F63DBDAA1E77646945D492EB7357FD0DC65
                    SHA-256:27708869A35DF1E58A2D60A3B9359ED2FCD368FB1D0CDFFA56CEC1A84514CF06
                    SHA-512:64042D7A67F898118F12DD6C356F77FD997FCEDA37146ABC0344BAC2CB9BBE3E5DD53D7EC262730FAEF7810AB20F6A00F8EB53A0E491115F744EAD1D8A67B1DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...I..S...........!......................... ...............................`......z............................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.63452732601052
                    Encrypted:false
                    SSDEEP:192:L+mAssGdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rrjDxw:BAsxdnYPLxsSJeeMJw
                    MD5:242D9E3C049FFFACFF46B46A55CB7495
                    SHA1:1318879FB5ED9B79DFAA156B87B1FCE924CEAF24
                    SHA-256:D9761862F40A200EEFAA7AF6302582C71C903C777EEE543886134E39484298CF
                    SHA-512:0158FA3884A539B2E4C05FA75B5A01BE05DDD9CBDD9A257FF0332B4314AD27713958B262D7F20CE4D16EC3FFD75BC5C043B49C05229C06D363BD99DECB1B4982
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`......2............................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.569011518390716
                    Encrypted:false
                    SSDEEP:192:gLuoK/x9bNssGccnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3rbAZCrnK:gCoKxZNsx7nYPLxsSJeeMbu
                    MD5:BD29EC0E75E377CFD4BDE67DAEE295B3
                    SHA1:D92CA66CC08EE7F4F864ED9F27924C693F3F86D2
                    SHA-256:557E83D29E1484A88BB8FB42F926C23AE4F6176120FE061DE6AAE53526B847BA
                    SHA-512:89CA753CC7CB1D5259433BEA4C6741010765481F49525CC17E6C11F4B23CA0643326145FA42E1874A635FCDF121A018406D315C682066F3A71F0B917BD3A13A8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`...................................... ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.652463516555734
                    Encrypted:false
                    SSDEEP:384:ne+Fa8ohq9LV9jNKFtsxfnYPLxsSJeeMr:ccxs5JI
                    MD5:1F6FCA8047806B1169D784BE9DC1B0B0
                    SHA1:56F0D551AB9FB40F024B7CAF2B552AE94393FB20
                    SHA-256:4527C695024B78BFD7C4253E1FB0671945968C8407A1B6B0263BE365BA131E7C
                    SHA-512:48FCBA28073A4C62D3B082D772866E7A6C1F34A556E1A100CBA04308BC96B646AFDBC134C3B1E6982E14EF63B851A5DD18AB6AE726C3C923EC3A1DCC72C765FA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................`......U0.............................. ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13280
                    Entropy (8bit):5.842835611285939
                    Encrypted:false
                    SSDEEP:192:addqfF5ssGTnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3r6Lz:aXqDsxTnYPLxsSJeeM8z
                    MD5:4686B762B8EE1B7127F2F8706F566268
                    SHA1:2FCDF5E34232B4D178BC62BC7180F9114B7FEA01
                    SHA-256:DD82A2228E50FB71B358DE4421909F7C58684CE6D0EE8F4266527BE4ACCFBED6
                    SHA-512:88D74756D054EA8581766CE56CF3BE6237C268A52971DFAC47110AEA90564DB724E36B1D8B5FC4FDFA19B5466C2F6DAC79612D5163671481BD7905A905B421CA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ...............................P......'............................... ..[............0.......................@....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14304
                    Entropy (8bit):5.680567636244029
                    Encrypted:false
                    SSDEEP:192:U9DcW5wssGvnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3r72t9v:gD15wsxvnYPLxsSJeeMC
                    MD5:E86A94CC705A10A9C2997093F472C599
                    SHA1:93C49A21B0A2D2D97FFB026C58FFAC279C99063E
                    SHA-256:E44CF65C6916B91A692A82DFD63DE051B0575FE148BA54BD513D28D6852593C8
                    SHA-512:45DBB8F66615281BF1DAA0F9CB152C7D73355B3073674C5AFDF6FCC1B82C727051F6B1DD7977BC70A394CF37A05312D86E1F7F6E3E16A861669EB1588A93ECAE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...1..S...........!......................... ...............................`......[x.............................. ..[............0..|....................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\csprintdlg_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13792
                    Entropy (8bit):5.626993013295661
                    Encrypted:false
                    SSDEEP:192:Y7EIlassGTnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM3reII:YQIMsxTnYPLxsSJeeM+
                    MD5:E2D86DA22BD6EE3BE559C0784277D52E
                    SHA1:EB7E5143F240E7BB51E8496DFB5F94B9F42C3E5D
                    SHA-256:C7E063188A37DC417FE2A1EE103DA75C49E3B8B70F200768348FC4B89983EF1D
                    SHA-512:7C6C01611F8826219B22D9F209A7E03B0CDB2F4E3D88694849B3EBCC4434BD1D7D1B4299D1228A184EB17FC8816047CBF32F09845853D0879DA9784801BB3BD5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...(..S...........!......................... ...............................`.......'.............................. ..[............0.......................P....... ...............................................................................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20920
                    Entropy (8bit):6.218499013636677
                    Encrypted:false
                    SSDEEP:384:G8OXp2/qhFc6VqM5Ojh6CmbT+nYPLxsSJeeM2GQ:GlY/qo6YmOjrmbCs5JLG
                    MD5:7F9DCB27FDECD12AE31242B59E4A2980
                    SHA1:DDD25CFD3CFCAE38F77CABECB21DE2A0730CDA96
                    SHA-256:EBCEFB4218C7BF01E8BE336C00F574B48A0090569FCB3DA666EB3D98BC4D7934
                    SHA-512:32373C09F400DEAE3DDCB05709014238616773D959882CA6B6045ED094AFC4B8301BFE05BE0CD1ABF3BB522EBF691653683A89734069314D260DE13C3F05AF6C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...(.S...........!................q........0.....a.........................p.......................................<..[....5..d....P..t............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20920
                    Entropy (8bit):6.219964648343995
                    Encrypted:false
                    SSDEEP:384:C8OXp2/qhFW64qM5Ojh6YrbTmnYPLxsSJeeMsfM:ClY/qi69mOjZrbys5Jdf
                    MD5:A2E453F60170EED51B869739DABA40E8
                    SHA1:BE71F393CC2545C94AF563FEAEF34DE48758C5D6
                    SHA-256:ABB4A5FAE022121F4DDDD53CF5F78DF9BC8D5C1B804EA90C1C06B88ACB7E0027
                    SHA-512:B03CD974F4CDD4895F8CEB5A19A5152B3B5CA5F90947A8D20067AB423FF81B9FE9018E16A61B6960A8E6B00865537359AC401B6F7E341641E96B8FE4DD891E8B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......7...............................<..[....5..d....P..t............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20920
                    Entropy (8bit):6.218187673671721
                    Encrypted:false
                    SSDEEP:384:B8OXp2/qhF06/qM5Ojh6SUbTPnYPLxsSJeeM5r:BlY/qg6CmOjjUbDs5JAr
                    MD5:9CCF6E743BCBBF48CD9BA9803B80D97F
                    SHA1:EB1ED2B815A7B6AE8CC509709F22C1A7F3CA332C
                    SHA-256:35A334A10C5633A9EEFF44315314D4448049FBCA33C6313C6866EE149EDACD87
                    SHA-512:D5C996D3AD613A331AD0691637984FF66205AE8654B822A7235E3460D130597E830533CFA524A786AD5044849CAFA4C191672AD035FB02651E0EED3792721A78
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...0.S...........!................q........0.....a.........................p.......................................<..[....5..d....P..t............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20920
                    Entropy (8bit):6.2222918989276845
                    Encrypted:false
                    SSDEEP:384:18OXp2/qhFK6KqM5Ojh60VbTxnYPLxsSJeeM311:1lY/q+6HmOjFVbNs5JK11
                    MD5:EDE65EA3202E989DA64FFEB555FED26A
                    SHA1:2A0E5C47E936B87F98A9AF2B23CBB2F14ECFE4AF
                    SHA-256:C15D952EDD05CEE896DB8818C3D1DD9ECB1E39DD85EB2BFDF5A7138237094AB6
                    SHA-512:F6F3B22F29F2B2952C67B154C4120C0193076873388E0999007C3370AE143626DF0B1C6B89604A87DB1BC8E0C183069746855C7E01672BACD5A131AAC0B6318B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......`...............................<..[....5..d....P..t............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cubedefmodel_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20920
                    Entropy (8bit):6.220436118494774
                    Encrypted:false
                    SSDEEP:384:GG8OXp2/qhFr6AqM5Ojh6hhbT+nYPLxsSJeeMVFI:plY/qH6FmOjshbCs5Jc
                    MD5:C7B5A2626843940A2F8F5BF773FC919F
                    SHA1:F06B98E1F10269274D401B91788FC59ACE73E185
                    SHA-256:26CFA3C8591BBB233461D325DFFFE894769C13FCB30D6F73B72230F4BC20D739
                    SHA-512:8885F1741D38ABAD8CDF730920C9B6FF7476DA5C8AD942B8B97B225E5A5BEFDC85E9E91A755EA41601B80971CD9493EB1D8EC9AE32978AD110E53805C07475E3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......9...............................<..[....5..d....P..t............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cxlib-5-0.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1309056
                    Entropy (8bit):6.642686359888563
                    Encrypted:false
                    SSDEEP:24576:SFgfsCH9WKm5nWOxxIrIeARg956HfzbzahPzn5pSqReuGPepCOIjsqapBa8UWNI1:ggfsCH9GfxIrIeARg956HfzbzahPzn5s
                    MD5:287E553C670B79B8D566D40F26323422
                    SHA1:938569787EE05AB0D4A34EB685FFE1545F8E31D1
                    SHA-256:5554AC1938CBFCDE369352004A10090F99C4D70D4BCC191B6FF60924A03B35AF
                    SHA-512:E3201E92AA239F126774ED8D967352513234DF900CB9E36F459FACCEE72D6EEC56DB9F77D6E99DC40C2DF7FAF2EF7E9BD708359D7C7915B48D4FB0909652D56A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................GE......G......G.............G............G.......G......G......G.....Rich...........PE..L......S.........."!................oe.............I................................8...........................................,....0.......................@..(.......................................@...........................................text............................... ..`.rdata..|...........................@..@.data...LP.......0..................@....rsrc........0......................@..@.reloc..v....@......................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\cxlibw-5-0.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1309056
                    Entropy (8bit):6.5892140097857
                    Encrypted:false
                    SSDEEP:24576:wunsYm5zm3E97i6g/30+HX56O1ff23oYBCa7XwEqLMA:wyUPZgi2fxY/grLn
                    MD5:99DDFB9C59DAA5AE959877093448095E
                    SHA1:B3F7E9AB0172B1364EE4E5D285A7B73526670C20
                    SHA-256:8F29F72968ED42233178D7A97FB44E422863CA5054F3F17BC2B31A7C186672BB
                    SHA-512:C637B061991D8B38D87F3BFA56E92B7E126B93C799BA831A0DE4561E75E817C0E574A2A3FFA978B9A74B90F8102C5CE14FEFA50B47617E32306812092222F76D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..A...A...A..G....A.......A.......A...N...A.......A...A...C.......A.......A.......A.......A..Rich.A..........................PE..L......S.........."!......... .......C.............I................................................................."...... ...,....0.......................@....................................... ..@...................<........................text............................... ..`.rdata..............................@..@.data....P.......0..................@....rsrc........0......................@..@.reloc..R....@......................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23480
                    Entropy (8bit):6.001299085640678
                    Encrypted:false
                    SSDEEP:384:A8OXp2/qhFc6xqM5Ojh6CuqS0LaONG3sEybTfnYPLxsSJeeMgf:AlY/q46cmOjvuib7s5J1f
                    MD5:654D1B71380331C468129B3E3CA9B3DA
                    SHA1:532A4437E880F2830E336974B7659DAD5422779D
                    SHA-256:8AC099446C1DD00CC8E5FB731299225738EECACCAB7F6268F4407B893F1461F0
                    SHA-512:715B24139BFE945D1DC025902972768544616B47A73F6BEB0DB36E7D5CB795A9BE8B5CD582FFEA1286749F6CBF8FA29FD7EFF076202FB2F7AD961611DDAC5CD4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!.........(......q........0.....a.................................................................<..[....5..d....P...............B.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......<..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23992
                    Entropy (8bit):5.989381306884842
                    Encrypted:false
                    SSDEEP:384:k8OXp2/qhFP6EqM5Ojh6Yk10NUrJbT7nYPLxsSJeeMUFP:klY/qT6hmOjxWb3s5Jx9
                    MD5:5C474223826BD21F7FEDE45C096C5131
                    SHA1:122BA95B4F6D848E6B5730B32F21FA5F8FA28D7C
                    SHA-256:2BD6D33D93E763BF875DAD48253C9B1A08EEF6E8D9EC551427DCA4B148C58AB8
                    SHA-512:EF6E1055DE62A15218EBA885E260C48764B71EDAEB8A376600C00BAEE9D38E70840A7DE4D0D9594B4E5FFBE01ABD9F36117FB049EF8A65E9EF3808C00D133084
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...*.S...........!.........*......q........0.....a.................................................................<..[....5..d....P..|............D.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...|....P.......*..............@..@.reloc.."....p.......>..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23992
                    Entropy (8bit):6.042374970888406
                    Encrypted:false
                    SSDEEP:384:N8OXp2/qhFB60qM5Ojh6blv4kD9TsQpD9MbTJnYPLxsSJeeMY:NlY/qt6xmOjmlv4kD9TsQcbds5Jl
                    MD5:80131DF7A6A23C50089545BE2A9DC4C2
                    SHA1:93A79AEDE065B27B19704D1D267A5F46B6198813
                    SHA-256:42C2A8101B88CBA25BD591678933B5BCC5E2078261EA444990D781D85FFD52BA
                    SHA-512:9CC85852CBA0657DA1C64CC353387A8E39469B32769EE8CD930E52DC3BB8043A932EA25A18CD5D24C3787243F974DEFBCB825EBE6774862600DED6F11EE6864B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!.........*......q........0.....a.................................................................<..[....5..d....P..t............D.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.."....p.......>..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22968
                    Entropy (8bit):6.1871862024413335
                    Encrypted:false
                    SSDEEP:384:K8OXp2/qhFu63qM5Ojh6XB9obTdnYPLxsSJeeM/M:KlY/qa6amOjSkbxs5JW
                    MD5:B403D0248FB00E3CB6C8C63352805B9E
                    SHA1:7125E2AAB57096C2CBECE355313D0F53432849EF
                    SHA-256:8C53F1D1BFDFC16C12F37A50AD810148F22AED9A1D971D8CE68BC895C5BA75ED
                    SHA-512:B0799AD7D25DA7DD944C6333593C37B7798E142B616FD06225829F5E3AEBD97D8B5A1D1102C9CFF23B003D3B47B5310DF82DCE6EF47EDA79CBC7AE00166A70B2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.../.S...........!.........&......q........0.....a.........................p.......W...............................<..[....5..d....P..0............@.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...0....P.......*..............@..@.reloc.......`.......:..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\datadefmodel_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23480
                    Entropy (8bit):6.092787587317569
                    Encrypted:false
                    SSDEEP:384:18OXp2/qhFK6FqqM5Ojh6B1RIrt9wUbTsnYPLxsSJeeMiF:1lY/q+6pmOjU1RegUbos5Jb
                    MD5:B8D56F5881AFE01AA709423D3259D192
                    SHA1:6E2B078C0078A250A955392332702C874351BAD1
                    SHA-256:04F791B896CC726038EAEE0A386D535AC3F26D9F75B13302F917C5EC4CB56F96
                    SHA-512:706E77F4EED09E50529A3D45382AAE8F1FB48764D1A16E91174B03DA710BD78C8B90DF3BA9806DE4A171037F505DB12C5B96E350435846EEE0550E2CA28ABE4C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...K.S...........!.........(......q........0.....a.................................2...............................<..[....5..d....P...............B.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......<..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dotnet\CrystalDecisions.Data.AdoDotNetInterop.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):3.959367821701715
                    Encrypted:false
                    SSDEEP:384:0ksXGTnZE0ktFMmbL/fvXIy1twoCm8Z40Mlff/4Ifr1iAO8hq3D+97LtMRjrn5l+:01GLZE0wSqL91twoH8aBMJrPV9C
                    MD5:7EDABF7BA0B7231D586C7D89F3D09212
                    SHA1:9B5291EF2D4DEEF02189B02E5BFFC6D8AC22DB33
                    SHA-256:B8A592FBC2DAAC52C5837F8723E497A6430FBBC16D5904FFA09BC7CD9907C7A6
                    SHA-512:7B73F77FC4A60B27157C81B78A6A3825A02081E508F5E44DEB33281D5430D0C24903864639C0C8E55A4EC763E9DED3A4E793B78D204807EC73B6CD63449DB4B5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.S...........!.....P... .......g... ........... ..............................Ix....@..................................f..K.................................................................................... ............... ..H............text....G... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagent.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1698176
                    Entropy (8bit):6.410694586826691
                    Encrypted:false
                    SSDEEP:49152:XidVH0HtfQ7YgpCkz5jEE14pUClEMp3lAZiW:xtfQ7YoE
                    MD5:F6D67A7D2B28FF657849FCC0465619CE
                    SHA1:651C35B83CE8A36FA4B01A16076EDDB72E3D306B
                    SHA-256:D8B61741D736468D57D569ACA2349B53B9FBB053D731A20FE632368951C54B1C
                    SHA-512:0ED12B86BF8D76BB29B015A41DE6F784153ABDB8F4D011E1F8FF15FCBD2F4911A7625B3B3ADB672A8D35B169290270C1EEBB7999703F5CE83A4AEB4DDC658FEE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............r...........................&..............................&...................................Rich....................PE..L...w.S...........!.....p...P......z.............PC.................................Q..............................0...............`..X%..........................p................................R..@............................................text....l.......p.................. ..`.rdata........... ..................@..@.data...`...........................@....rsrc...X%...`...0...@..............@..@.reloc...[.......`...p..............@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):140160
                    Entropy (8bit):5.873646382571993
                    Encrypted:false
                    SSDEEP:1536:jsIZLXYP+0HXfBOXGO7tUvu2VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEERQS25J:jPWPPHXJY7tUGafcVvvyLffPqRJ
                    MD5:D1B91179104EDF7E05D37A97A1238855
                    SHA1:0CAB2F215CD3A4B21437DEBE41A5E3A663283F25
                    SHA-256:55F46271E04D542D71240C868D1048FFE42308B40B696703AC23A88C04D97584
                    SHA-512:42FBB29E605A797E326E664A05CAFFABD253C37B0558131F1CC7EE3CDC6B78EEBDFECAE7D4373512EE69D386EFCED5C2493FD4F09BD6D2275C77A112F653579A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.........z.......+.............9.........................@.......s..............................@...X...8...<........'................... ......@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc....'.......(..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):137088
                    Entropy (8bit):5.941918858925623
                    Encrypted:false
                    SSDEEP:1536:nwMRL5hRInknGIctvy2VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEERxNU9N5J:nne8ctvyafcVvvyLffPNUtJ
                    MD5:460B3F898331B4B7971236871DAAD4F4
                    SHA1:1B7E003F5EF4B1C08F8D5F6A5CD00BAC3B5A1E2A
                    SHA-256:1D6764F10ED9E3D82D79FBBE98F35E2EA03C49D8118E572E82F11AE79A4F5379
                    SHA-512:8035ACDFD62404FE03ED792D02799B2097AAD503BDB233BF8B7844DC8D866E581041C8A798F2AA00B7C0D2FE111EEF3F86ECA898E33935F6BBE900A9EBC37D9B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.........n.......+............@..........................0......................................@...X...8...<...................................@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):140160
                    Entropy (8bit):5.875252711796988
                    Encrypted:false
                    SSDEEP:1536:wM23lAwhX8ncZ1GV1tJe2VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEER2275J:w5zjc1tJeafcVvvyLffPkcJ
                    MD5:862F3852B3CA2B535E0158878396795A
                    SHA1:B316253C0E89E13B712951EA259A0FB4B462F33C
                    SHA-256:D1648190B62E871F5A2617C2A3FFA57E5EDBCB9EC5DC4FA296182A431C8BAC26
                    SHA-512:5EB5D1137B8811FAA479AAF5098DB2AA601CBA980FCBFA3E7CC7406CD1E4B0604BEBF5C5A325D70BD46C2E06CEFCD7686C5178E85D1E80AC1B8EACE2C5D79966
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.........z.......+............-H.........................@......./..............................@...X...8...<........'................... ......@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc....'.......(..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):139648
                    Entropy (8bit):5.925232223897365
                    Encrypted:false
                    SSDEEP:1536:gwMRL5hRInknGuRt9b2VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEERX0v305J:gneCRt9bafcVvvyLffPB0vKJ
                    MD5:CEED463A499A6F511EF8710789ECF2BF
                    SHA1:AAFFEBAA1825304E3849162829F1BDC992F01AD7
                    SHA-256:A6DA1ABF05DE820EF858FB967F4960D8B2CB41183EE4A869925BA764EA9B13AB
                    SHA-512:6F33B23B0B2911A4DECA6C5F6FADCC884439206297FFE74CE132B1206774617D95C68AD0D8B19A86F3E54EE6B87BF53189E2208D6C8C06F59D057D2A114B9DEC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...C.S...........!.........x.......+............@..........................@.....................................@...X...8...<........&................... ......@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc....&.......&..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):139136
                    Entropy (8bit):5.956594561110827
                    Encrypted:false
                    SSDEEP:1536:/wMRL5hRInknGeht292VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEERZvHZKPa5J:/neSht29afcVvvyLffPXHZK0J
                    MD5:5FE703F9153D4661D1FA5371AD24CFA3
                    SHA1:3DA6EF1DB6AAE848A2ADD211178478894015B04E
                    SHA-256:8A12B3CA227B67022A7F3127A6186B4B721C26A5F3548819B28887C2829B855D
                    SHA-512:776154ADF0904C9CEDB85F806BD00D1C223B5104D9EE4D595EF9167B88AB14141019FA67DF81DD576E29AF6264A14CCDB6E893D54A724D39D55B945355770A83
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.........v.......+............@..........................@.....................................@...X...8...<.......D"................... ......@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc...D".......$..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):139136
                    Entropy (8bit):5.845406587775982
                    Encrypted:false
                    SSDEEP:3072:KnevJtiCafcVvvyLffP3RcNj2zslTIrav3f4RrJ:czCa0VHcfXV
                    MD5:D247F53C8636BA8A30225469B096AD52
                    SHA1:A1E5D654CAF3A90BBD2933202DB726D315C8A9BF
                    SHA-256:F9F3FC191B73F078B99B73C8E055DBB76E5AB030C04A5E2AD04CC3771C01FFF2
                    SHA-512:93F49FA63721D3C46A8BBC844F5688D2E36FA3EDC5F78B5349A065FC5F599A3D34013B1506A2E97661863D3C6B918512A7E3E80FF0BB1B4D734F7BB3B32F70D3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...A.S...........!.........v.......+............@..........................@......................................@...X...8...<........"................... ......@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc....".......$..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\dtsagentd_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):135552
                    Entropy (8bit):5.924949383886347
                    Encrypted:false
                    SSDEEP:1536:MwMR7ZFBdXtnGxIteP2VuaiMlaMviVMsvyLfeFdhZsH4ba4cR3PEERHy4l3u4n5e:MnhOItePafcVvvyLffPca375J
                    MD5:3FC330819E5C340911C005C5E285C87B
                    SHA1:D59995A92775BC6022CC939CFDBB990EE8951B8B
                    SHA-256:380D2B9EAD7940888D80392B6D25DF3A918B8810E14A23D9B6A19B9FE39C72CD
                    SHA-512:9847DB678A4D6E692364161C3F0E980E2772958A59C975D16F302BBAAD1CC06B2125822C9B99640D34A7A01764ECE19993812C68C92CC577DA7B44375EF7D545
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...d.S...........!.........h.......+............@..........................0.......~..............................P...[...H...<.......x...........................@..................................@............................................text...~........................... ..`.rdata...*.......,..................@..@.data...H...........................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ebus-3-3-2-7.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1617920
                    Entropy (8bit):6.6153263572152055
                    Encrypted:false
                    SSDEEP:24576:Os+238ukWHxLC1m5nWoOhAAjrn2yqxrqjJjMeq017q:ZkWfaAAjrn2y/hMeq017
                    MD5:F7B708D83212E25A80DE21EDB2CF6278
                    SHA1:AB5B65521482B47EA3B0D2E9F06F3CCDE1960A6C
                    SHA-256:418C22D883921CF002EC3A4356640836254D1DB9D80E5FDC58F17E3A1D9A2573
                    SHA-512:98561D3BF1A74BEBFA0F350175CFF75F63B606F32E6ED519289367FA3F723781E640239C97E6EC9076BDDEC3EA73788ED56E445ADD4AE4ABEFEE15EE4DA7153F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................@Z.....X.....X...........X..........X......X.....X.....X....Rich..........PE..L...lxhM...........!...............................d................................D................................+..Uj..............................................................................@...............T............................text...k........................... ..`.rdata..e...........................@..@.data...p=.......0..................@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\etc-1-0-12-6.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):5.938759901875955
                    Encrypted:false
                    SSDEEP:1536:0+YgYYgYYDKwAkgGQfMQKKpbuOC2Bq5q3YHiVKODjs4X/qF:ZYgYYgYYDKiQfMQKKpVZUo3KBODjP/qF
                    MD5:C520E5DDC25FDCCF5E41A058FE43A4EF
                    SHA1:77A80A1302F85C7CE621783E3BF5C9FC57E508E9
                    SHA-256:E6F6E92A371506743E2424F5810FF35E5797DF23AAD0880D3B7AE68C2D297A75
                    SHA-512:C734A5D3919ADEDF875B6635F8F7E8250E00A284ECC02D0F67DDD3E379455243BD8B7E3DE223DE9C7AB33652A632A1E6212E117234D68C45CED437D8805B08B0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?......k......................................................................Rich....................PE..L...0xhM...........!................L..............c................................j...............................`...TW......P....`.......................p..p...................................H...@............................................text............................... ..`.rdata..............................@..@.data...H....P.......P..............@....rsrc........`.......`..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\fssl-1-2-1-6.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):782336
                    Entropy (8bit):6.615803961992056
                    Encrypted:false
                    SSDEEP:12288:Mm5FAsm4KAFRW2eN56pu9PmMsbIWD9T2aTYNimIOndoKc9:Mm5FAs1KAfW2eDIudmTIcpdEjRc
                    MD5:0B63138433DC40DD105AEB25DF16D3F8
                    SHA1:19AFD1BDAE2D89B9C61BD0C1E74F8A78B23189C6
                    SHA-256:F0D88530370A262D0DB8CCABA585561DA8C68735781257FD7FE04DA98C2CE8DB
                    SHA-512:414684687B7B5CF9DEE3DD5CF1FECB16ACBDDA15120B4994943864AA11575941D7BBD395C3AAAD0A934D7BADC7E97124E94CC8124E939DADB81F63091748D63B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q...q...q.......q.......q.z.,...q.......q.......q...p...q.......q.......q.......q.......q.Rich..q.................PE..L....yhM...........!..... ...................0.....S.................................................................y......LL..................................H]..P5..................................@............0..(............................text............ .................. ..`.rdata...K...0...P...0..............@..@.data...d...........................@....rsrc...............................@..@.reloc...^.......`..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\gdiplus.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1645320
                    Entropy (8bit):6.787752063353702
                    Encrypted:false
                    SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                    MD5:871C903A90C45CA08A9D42803916C3F7
                    SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                    SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                    SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\implode.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18944
                    Entropy (8bit):6.079896303363264
                    Encrypted:false
                    SSDEEP:192:Osp6yEkGeVt7mdxy6BhUDwDBEKhixWPGqLukwRWxlRYlRXwHV1UBoN4GI6kmUx:Lp6yGeVABrKcb7hjYjXwHHU04GJkl
                    MD5:48FB48BC57BAAC3B312DEEE430D3C19F
                    SHA1:ACD731D9E56345CF2C7CC3933A8848EE9FD507FB
                    SHA-256:0472C650C3D959BE3887B962BF2A4A897F6A94D51034A8B7732362CDB87F1E03
                    SHA-512:7B0ABB0A1EED170BF98CB028E17CA7CD7F6C8CF6CE5DE16E775297C92A597184ED57A37E62D58A0272C9BC31544FE93AF9349039A6F5089A3BEB3F1F2743151D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..2...........!...2.$...".......".......@....(%...................................................................h....p.......................................................................................................................text...?#.......$.................. ..`.bss....$....@...........................data........P.......(..............@....idata.......p.......>..............@....edata..h............@..............@..@.rsrc................B..............@....reloc.. ............F..............@..B........................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\keydecoder.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4372928
                    Entropy (8bit):4.558032080651126
                    Encrypted:false
                    SSDEEP:49152:+nFt9C//+xj3od42eTLIOBFM1SGBJrqY4:+n0a8d5eTLIOBFMkGvo
                    MD5:8D7E1DF737ACCF384CE613704D1E6785
                    SHA1:D379EBB92F0956B3996BA7AC764C5D4522400C13
                    SHA-256:8E871E761C736C5C7BD4C336E1567BD6DE494E2DB512C41F0DF9EEED79C18C2C
                    SHA-512:689FAAD8A02C4F624B7C0D1D1F6CCF559C483B1D0F9CB5BBD4539E8B85171CD8D0A91943AE36D06ED3987BC3064BCA5A17EFDA05308CAC82BEC715B803AA2730
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e...e...e......e..ij...e......e...e..Ke...e...e.....[e.....he......e......e......e..Rich.e..................PE..L......S...........!..........7.....QR.............I..........................B.....5.C.............................p.&..2..d.&.x.....A.h.............B.......A.... .................................&.@...............X............................text............................... ..`.rdata..L...........................@..@.data........(.......(.............@....rsrc...h.....A.......A.............@..@.reloc........A.......A.............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libcurl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):315392
                    Entropy (8bit):6.608716495139198
                    Encrypted:false
                    SSDEEP:6144:NBSt/m5IJ0eZepUBsx9jowIsgXkQVNZzj+FkI3ON6Z0Q:XSt/m5U02E7xRtIsgUeZbN6Z
                    MD5:425BD07926320D004AA46143B6978A4D
                    SHA1:20A6A993040795D31C65D2C57E591B5A507BC7E2
                    SHA-256:4FA1E6876D4BB489A85FB0F9A4D523DD3A59AA6E0731E517B70A6B709C070D96
                    SHA-512:344B591D7049F7AC669A5F2E3487159B9F565205DB6EE87EF33F4907CB43398AD85F0922CBF61AE3C1FD1A432E792B9D2AFF3AD4C9C9484B2B2EB82C68BD0732
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|g.`.4.`.4.`.4..l4.`.4..|4.`.4..o4.`.4.`.4.`.4YoO4.`.4...4Q`.4..h4.`.4..n4.`.4..j4.`.4Rich.`.4........PE..L...WyhM...........!.................................................................................................\.......Q..P.......l........................&...................................G..@...............<............................text...t........................... ..`.rdata..............................@..@.data....1...p... ...p..............@....rsrc...l...........................@..@.reloc.."'.......0..................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libpng10.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):135168
                    Entropy (8bit):6.296683013579054
                    Encrypted:false
                    SSDEEP:3072:9YA2VZwAg0voYBeAKwUvj3WkCOPafOw6KPwtcp:9qQ0vfY4JWw6K0
                    MD5:92FC0098A26F2AD9E151AC500433FBB3
                    SHA1:76FF33632C2C20F9C9260776454D0F833C313273
                    SHA-256:E30B56ABC26DC4C019394F59FD71F34F17913ECAE153A95BA2CF8204AA7D85D4
                    SHA-512:4FDA30528F20E6E6FC7EE8E639554FC05D05EC068EB5DB291B254416286830293DE0D0B6FDC037F06E5338EAC22263352EDDCC7C783A71379778B8176639AB4B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........2...a...a...a.^.a...a.^.a...aW..a...a.^.a...a...a...a.^.a...a.^.a...a.^.a...a.^.a...aRich...a................PE..L...iyhM...........!................................................................2......................................<...P...................................................................X...@............................................text...h|.......................... ..`.rdata...D.......P..................@..@.data...l...........................@....rsrc...............................@..@.reloc..*...........................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):273304
                    Entropy (8bit):6.020043518717365
                    Encrypted:false
                    SSDEEP:6144:vhtpdgqW5m0AGJ0GtPIN3ctqhlp4aVrL4ktOAztALJ3:v7gdwqHtPIN3+sbDxLFNeLJ3
                    MD5:4EB545BF1837F3D59A65C2D5D9D9708C
                    SHA1:847A29A86B437DC27EE7CF80044B88C9035695A8
                    SHA-256:19D57EE7356873D4D2BF512CD0C926154902E8D8763CB882D252C850E35270BB
                    SHA-512:CED9DF199D77DF0032D228792335646E5C7F9915979B70BCA178F032F062151BAF525637A0F5DAEDC03B90B3E2254EC97DDCDB5424512BD8B3D847538226D5B7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R..Z...R......R.....R...]..R.....R...R..<R...Z..R...]..R.....R.....R.....R.....R..Rich.R..........................PE..L...x.S...........!.........&.....................A.........................p......................................................p...2.......................-..P...............................8H..@............................................text...P........................... ..`.rdata..............................@..@.data...<...........................@....rsrc....2...p...4...(..............@..@.reloc..............\..............@..B........................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):88472
                    Entropy (8bit):5.934966275007281
                    Encrypted:false
                    SSDEEP:1536:K2wIBLTD2JSBfGz6to1tOcQSagC6si5Jd:9rQMto1tOb+PJd
                    MD5:8E10B4B174040DD72080C4112D1161F6
                    SHA1:18238D3C47AF2FD917564F5DFF0BD943CC36F871
                    SHA-256:EF8C3906A9A9B8700F779BC3A6CB72E123861DABCC79CACEDBFA2506DF2CA0DD
                    SHA-512:E9AC96243C44DC83E1F6E6C4A931E7D462AFB6CE986C956C589CCA0A7CD9AB2D9FBE245F490631AA1234B3B928B89BDD928D30C5DB3A53B788CB046045801F0A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.................+.............C.........................P......bD..............................@...W...8...<.......L1...........@.......0......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc...L1.......@..................@..@.reloc..z....0... ... ..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84376
                    Entropy (8bit):5.834035929548954
                    Encrypted:false
                    SSDEEP:768:1Z8wMRK/I5I0bUV1j8bdGE3hwyZnGZqPGigtKkhQI7lagKZggvHs5Jdt:MwMRL5hRInknGcOtK8QSagUrM5JP
                    MD5:AAD896E084EBAF399446881CC070BA01
                    SHA1:0244C64B287D4816D2994942F51C839E58E5B1A5
                    SHA-256:DC9835055891401C13F374C269AB2E9761EF7D31102A442FDD8F970283717A73
                    SHA-512:77F55C5372B19A574D72FE95C9FF5C9C6A0A572DF85E1FFB884C66A8245ADC2F36B331652AC290F2D9749B4085A75D18543763E9D944B8B948F84A447A9B2A46
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.................+............@..........................@......................................@...W...8...<....................0....... ......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc............0..................@..@.reloc..p.... ... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):88472
                    Entropy (8bit):5.936032214863915
                    Encrypted:false
                    SSDEEP:1536:8sKP1aPAiTLuj9GH/8ktucYQSaglE25Jy:81SQC/JtucHi7Jy
                    MD5:D0B29617F08839C72329BBE62C8997B4
                    SHA1:E5C295D5AA981C1C7D6635FA66B0F65E54958F54
                    SHA-256:85747B552191056561012C2CFE8B8812705DB3A99A928F54F5B9830929C0477C
                    SHA-512:99E3E2418460303A13FB046F72B1B55220D0F0776D9A663C3E8BE2A423034DEAD4E76C0C8A6F22FA9BB6C0E0D9EAF2606FBD5A61E8A2003418E33C00317BAD16
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...J.S...........!.................+.............G.........................P......._..............................@...W...8...<........0...........@.......0......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc....0.......@..................@..@.reloc..z....0... ... ..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):88472
                    Entropy (8bit):5.896300766817041
                    Encrypted:false
                    SSDEEP:768:oZ8wMRK/I5I0bUV1j8bdGE3hwyZnGZPPjigtrkMQI7lagK81gvBs5JMlgc:hwMRL5hRInknGlDtrpQSagNIe5JMlz
                    MD5:7A564DE393B61B1B98A4C0A09E552C45
                    SHA1:2557AA233F66D17ED2FF39B929FC2C2C31339A25
                    SHA-256:D3ED42D3DEC50C69707D75C91F9D85FBB8688666A4C6B77B09F8EB1DF04E14BD
                    SHA-512:FE46EC04A2C309D6B57D18E10E33C8F3594635F877A090AF2E5F6A20592ABA985B886482DF5F0F0609D551A0DBF6444BE9F6D815755C51C3EFB68C2ED672F8A1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.................+............@..........................P.......Q..............................@...W...8...<........0...........@.......0......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc....0.......@..................@..@.reloc..z....0... ... ..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84376
                    Entropy (8bit):5.834494258255384
                    Encrypted:false
                    SSDEEP:768:qZ8wMRK/I5I0bUV1j8bdGE3hwyZnGZGP0igt7krfQI7lagKDjvgvfs5JC:HwMRL5hRInknGMkt7SfQSag2aE5JC
                    MD5:A984EF5CC7F787ECE0A94BDEB01813CA
                    SHA1:302077B5B97DCF74333BF2DA19B685F68B2B1A8E
                    SHA-256:654C849F3F8F4CA4E2D7C304D91C2463927D54C8CA708B8DABF9989F26FF4BB1
                    SHA-512:A6839231BBA895D1AB941464E22E1025DA00A847D190D0F6973D21DDC0E04C7CA62F41B574BE1DF36AD891F7D2CF2519858C998BB51C954121ED75E8514A1F01
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...}.S...........!.................+............@..........................@.......<..............................@...W...8...<......../...........0....... ......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc..../.......0..................@..@.reloc..p.... ... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84376
                    Entropy (8bit):5.797873028501167
                    Encrypted:false
                    SSDEEP:768:FZ8wMRK/I5I0bUV1j8bdGE3hwyZnGZDPhigtkkZQI7lagKAn+Vzgv5s5J05:cwMRL5hRInknG55tkwQSagNnE+W5J05
                    MD5:37CF9F52F6F378930EB34631D40A0170
                    SHA1:E20E46E776267D176B44387211EAE29319D63051
                    SHA-256:3E08430FE6B02699BDD4A34BAB32F6B5878366FBF7E349A393FFC8B70C5973D3
                    SHA-512:CDD32A5388A1FE6F2839A808B904DB9959301C4BF184BE5C5BC623CF657D886B0F8FA87393DCED8F397DF2AA51B9EF387A728CE38E8B8FF592064C658DD43387
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L.....S...........!.................+............@..........................@.....................................@...W...8...<......../...........0....... ......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc..../.......0..................@..@.reloc..p.... ... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\localcon_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):84376
                    Entropy (8bit):5.837128542800414
                    Encrypted:false
                    SSDEEP:768:sZswMR6/oZ90iUV1z8bND03hwDZnGZRPaigtbkGQI7lagK8Rgv4ys5Jo:VwMR7ZFBdXtnG7atbPQSagpk4l5Jo
                    MD5:CDEE40EFAB2E6C83A09E0EC5CB209F55
                    SHA1:C5EE30AE6C51A8E47FFE732A0582308AB2E57D04
                    SHA-256:0A40FF7B48A3777C87930A1C0EB30E4B003ACC01B7141FD83ED67D1261CCC6E6
                    SHA-512:469B2776B9DD88C635EEAECFC715DC2F1FC5418F440A0B07C1DDFF81A66C33A54B1E7FA303B15FC21FB65F427D0B96543820371EC8A4FA58BB6F1FCB49028149
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..K*..K*..K*..l..Z*..l...*..%..M*..l..H*..K*...*..l..b*..l..J*..l..J*..l..J*..RichK*..........................PE..L...0.S...........!.................+............@..........................@......tb..............................P...Z...H...<........-...........0....... ......@..................................@............................................text...~........................... ..`.rdata...*.......0..................@..@.data...H...........................@....rsrc....-.......0..................@..@.reloc..p.... ... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):6.110468442223853
                    Encrypted:false
                    SSDEEP:384:d8OXp2/qhF26AqM5Ojh6EJQH0n5TFnYPLxsSJeeMPe:dlY/qq6FmOjxZn5Js5Jge
                    MD5:35F0D4F04477602498C16078FA8C42D4
                    SHA1:ED5DB84EEE1DCD948D0F6045A4F7859F582AD3CF
                    SHA-256:9DAEE5FA0C92598915C95A4FF7622EF76E2594C67EF359D0BB33B3CC14ED7974
                    SHA-512:624B4B5A1CC7C3476ABB383F05E490DBFBCC2CB42E0CB7BC98981873C77A4A8D0BF0FD09B564403E7382BA46277FCC6DF73F291BECEF65F9EA577F9ACA1CD2B3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...3.S...........!................q........0.....a................................X................................<..\....5..d....P..(............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..l....0......................@..@.data...@....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):6.109769099486793
                    Encrypted:false
                    SSDEEP:384:B8OXp2/qhFC6NqM5Ojh6oJUH0n5TdnYPLxsSJeeMsS:BlY/q26wmOjBNn5xs5JjS
                    MD5:FAB9A737BE7A771FFF7B8646C666C07F
                    SHA1:F772766EE95E5257EEF370955AAD4F487C36AE2C
                    SHA-256:EE23021A84952B6F7935BAFDE8DF70D7ED0004A5735C1FABBD88FF6E0BB2F377
                    SHA-512:542BF403DAF3E0C2F8E82A869888360998479BB3616F9D385E6EFB125EF6B1890459541FCFE18E1AAD75126CCD6F0E3C332A7B58996DBAF9D0A2A5E168A4E69B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................D................................<..\....5..d....P..(............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..l....0......................@..@.data...@....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):6.108628746952409
                    Encrypted:false
                    SSDEEP:384:x8OXp2/qhFh6CqM5Ojh65JgH0n5TQnYPLxsSJeeMRl:xlY/ql6fmOj0Jn5ss5JKl
                    MD5:9A17E6684A583D60554C263B319CA329
                    SHA1:E40253DAE5C74BD70AA97F945E95D23EEBDEC585
                    SHA-256:F63F440D0C6D4C410370ABAC6F85FBC5098A1187B70AB1E904070C6C68BB623B
                    SHA-512:D4500F2F287E6DB55D23F9F7EF1F5232FA292B5ED434727E060C86D8AA173770C545D94F796CAC2C335209556BB66444B98326822E26FA7D64018FADDF9FBC60
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...8.S...........!................q........0.....a................................................................<..\....5..d....P..(............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..l....0......................@..@.data...@....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):6.109141112989723
                    Encrypted:false
                    SSDEEP:384:18OXp2/qhF/6CuqM5Ojh6jJoH0n5TAnYPLxsSJeeM+v:1lY/qr6kmOjypn5cs5Jrv
                    MD5:DB6CF6C16B1550F7CECF54F1591F388A
                    SHA1:233939310E891FE038A62E27BCADA34C33B96999
                    SHA-256:4F5B74892C27B275B4F5777975B4054864352C2B48C2E0B0C514FB68D496067B
                    SHA-512:C6F21C33D94ABB1EFE35B13A2EA9FCE6D23945CCCB8F0537FCFE1F0CB6413F87445B32778462824E9D032DB1BFC120F94CBFB500596960CED9BB2EDCC217C483
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.................................................................<..\....5..d....P..(............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..l....0......................@..@.data...@....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\objectfactory_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):6.106841090515202
                    Encrypted:false
                    SSDEEP:384:78OXp2/qhFp6LqM5Ojh6nJoH0n5T7nYPLxsSJeeM5Zax:7lY/qN6mmOjm5n5Xs5Jmax
                    MD5:E5D55C2728BBFDFEE48D601C05FC4E90
                    SHA1:7677CC4AA907D34BCCF6D256A13A7C8BE04819F9
                    SHA-256:9B5ECE48A29786BF979E7E6FDE9B22AA688E9D12307D36B6384129C3281C024F
                    SHA-512:87B7C6EA44965CDA1DE5FF819288E3352CB0EBD73E6236B96C25E529CD32A5FCE651DD7E9C3875DF5D3FF6BE076DC510C9E52C564CCD7BC29A460B5CD605B740
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................._...............................<..\....5..d....P..(............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..l....0......................@..@.data...@....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2bact3.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):125376
                    Entropy (8bit):6.020733072546082
                    Encrypted:false
                    SSDEEP:3072:mlPb72Hmf1KYeEJa9GKvpfpLHQlMyLpOAcDkR099JV:mlRJHKBfOlMylOATRyV
                    MD5:81EF004C7802F1296795117252492DBC
                    SHA1:0311E59473DAFFC08A567CE54CD91B5A236EFB8D
                    SHA-256:B9154ABE0A882846D05FCA374F822B69395F83F07167B5CA1AAAC65325AC7FC0
                    SHA-512:61445E23C2406F668042C73F978ADED4C4D29F81E057B6FCA04D4499DF0C64C11D9F73B8A89EC0B5BDB883A8F65271C44B1635160CD1C547CBC6A272E6787DAE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........`...`...`.E.=...`..@....`..B....`..B....`...a...`..B....`..B....`..B....`..B....`..B....`.Rich..`.........................PE..L......S...........!.....0...................@....W&................................{...............................0.......$q..................................P....D..............................hW..@............@...............................text...d%.......0.................. ..`.rdata...D...@...P...@..............@..@.data...,...........................@....rsrc...............................@..@.reloc..|........ ..................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p2iract3.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):121280
                    Entropy (8bit):5.843816528159869
                    Encrypted:false
                    SSDEEP:3072:h1Mbc0mw73YZRCgJ3AGhnU0hELpOAcDOLT0ENJW:MGfHhnnhElOAFHW
                    MD5:C3DF03E1D305576FFEB6F78281990CEE
                    SHA1:EE3A9D46860D632560B46135CE39B36842DDD9C5
                    SHA-256:8D1B24802ACBF64EA765DD7EA1D9E5FB608E214345C62DFB2F55C2ED59B149B8
                    SHA-512:E4303EE7142338ABDA7321DF36A1F6ABB2F03D42DDCE4D1D18D8D4D791A143540C5141E82AF68B97E94CFB9F924143D2DF32901BD2984908E993B306663EB956
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..0..I0..I0..I.I6..I.H.I3..I.J.I6..I.J.I?..I0..I...I.J.I7..I.J.I?..I.J.I1..I.J.I1..I.J.I1..IRich0..I................PE..L......S...........!...............................&................................v...............................0=..{...$/.......P...@......................P.......................................@............................................text...4........................... ..`.rdata...?.......@..................@..@.data...8....@.......@..............@....rsrc....@...P...P...P..............@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.86456220235551
                    Encrypted:false
                    SSDEEP:192:SMRYWPu7X12kYBWYgSjfKw3fCrNeeMpSHs/4nYe+PjPBr7ahPO/d3BNJzr9ZCspg:SEPu7BVBe7MHsAnYPLxsSJeeMhHl2i
                    MD5:AA144CA6B09FABF38FBDDEB8370F8512
                    SHA1:FA0E4F2A681AF6D4446330CC21C4E6A118023EFA
                    SHA-256:B8581EC2DE4E16D8099A0714736C97904884ED43C40FAA449473961F749A1259
                    SHA-512:3A5B53D66F6600415185B5830F704BDEF45FD6DC260570AC0BBA564038B88979DA95CD4FD946E644742FACF88B2CAB6EC16EFB8801692DE78BA1238D60A3BE5C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........D............... ....D&................................|,.............................. ..O............0...>...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.850472701968364
                    Encrypted:false
                    SSDEEP:192:rRYFbPu7X12kYBWYgSjfKeGC3fCrNeeMpSHs//nYe+PjPBr7ahPO/d3BNJzr9ZCj:+Pu7BeMBe7MHsHnYPLxsSJeeMgmr
                    MD5:EAB997517B7021B2191921C6063C9EDD
                    SHA1:E2CEC70D1B816C43C908470A0268D761FFE50F30
                    SHA-256:C6C00441171E4AB329AEF31EAE8A703C2C247F5937D6FA08E89C44F4AEC9EE4B
                    SHA-512:E9D01368452F61906ED08E8163318C8DFA3C51B382681B1E908DF83017D83EDD67DD1B8D4BB9AC5E2317A596973129D680A54E3949B733BCA7D4BCDEF5699C11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........D............... .....&................................................................ ..O............0..D?...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...D?...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.861199517601426
                    Encrypted:false
                    SSDEEP:192:fRYD9kmPu7X12kYBWYgSjfK1z3fCrNeeMpSHs/znYe+PjPBr7ahPO/d3BNJzr9Z6:DmPu7BUBe7MHsbnYPLxsSJeeMkU
                    MD5:60C478FFA0AFDC45A3AB1395A63674D0
                    SHA1:F92D774BE9D0137C0F5F8EE76C073A64A31B1604
                    SHA-256:D6A50624938F86B24782396ACEC370302DE001F5E6CAB63B2857DEA72C30E084
                    SHA-512:B2FEA41E36953C008AB884DB451943DFEF03967F01A937F32A26EF2F0DA12584BD1EC11C5ED8D5A4579C44344478820461174A6DA0D6B9546E26F6B8361991F3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...&..S...........!.........D............... ....J'................................................................ ..O............0...?...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....?...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.900632470230576
                    Encrypted:false
                    SSDEEP:384:ey1HZcPu7BvcBe7MHsDnYPLxsSJeeMylfp8:e65h6MwMDs5J5Zq
                    MD5:690B012640D6A1FB34E359560D35EF09
                    SHA1:22C789504F286EE702CCF79A68C3BA7CDBA75C8C
                    SHA-256:9A5A67037B2139C41029431A28117ACDDE873760D1899F892A9C171846EDEBA7
                    SHA-512:ABFA2B5784B02A71BD66DE221FAE3F299C0A766D402893E82F84D20B5FF1508CA3BAF87D89930C3063ACA043E5BCC8F30854E97BEF58EFB840E28F1BCC877C82
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...P..S...........!.........D............... .....'.................................x.............................. ..O............0...>...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.8619958369713725
                    Encrypted:false
                    SSDEEP:192:8RYBTPu7X12kYBWYgSjfKC3fCrNeeMpSHs/YnYe+PjPBr7ahPO/d3BNJzr9ZCspV:DPu7BfBe7MHsgnYPLxsSJeeMIR
                    MD5:FFD9EF7D972AC5F24252BA68C9D012A9
                    SHA1:2B9A024F07153B31E7DE404C3837AA6A5D2FBF2F
                    SHA-256:C102F6E103C377DAD0620C3261732D61F569A98C50644919D38908AC85AAFCAC
                    SHA-512:FD1AB27C60AF0B47D42387E9B58B67E6ACB25938E4D495DB7B78E852FC5A83F6DBD9665C647CE3C7ACB906769709365F980A0D275CEA5709CFBD5A73E023D153
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...6..S...........!.........D............... .....'................................................................ ..O............0...?...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....?...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.8654143815205835
                    Encrypted:false
                    SSDEEP:192:uRY2nnn9Pu7X12kYBWYgSjfKMmG3fCrNeeMpSHs/unYe+PjPBr7ahPO/d3BNJzrF:in9Pu7BMaBe7MHsmnYPLxsSJeeM6
                    MD5:430374E9B7DEFC0D9008A87C1B69D5EB
                    SHA1:5BD2C3F7EF8D91016E8ABE9350BDB42EE0B8DAF4
                    SHA-256:6563606AA89B7367E1C87DECB0E1BC60322F02FDBC33081925DBF30BB614F857
                    SHA-512:087BD0243A09FC2001F06BE5FFD66E1E218E7F69D45A8C276E286EF6E411171F0506ACE494792E67DBB653F4770BA52F96C67B0DE66EBEAF5320EC27A774391D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........D............... ....@................................................................. ..O............0...?...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....?...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.882389131553346
                    Encrypted:false
                    SSDEEP:192:pRYHPqPu7X12kYBWYgSjfK1i3fCrNeeMpSHs/hnYe+PjPBr7ahPO/d3BNJzr9ZCm:MSPu7BBBe7MHs5nYPLxsSJeeMJA
                    MD5:A2064FA68C3A897F180E22BFA187FDFA
                    SHA1:ED3FCEEBD6B648CDC228247CCE5D194DF02084E0
                    SHA-256:0585F0F365DA4A460B9EE6C0507E6CA4018771F611BCC85AB03F2C7B71F7BA0A
                    SHA-512:6B919F82F16ED2B78DE95E4585EAC64F8E0CAF7481EA7ECDCA197988B4BE0568DDB95210D75F461A98DAF6DD56D83153AAF77FE384A952C93BBC6450DD33F488
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...B..S...........!.........D............... ....@..................................9.............................. ..O............0..X?...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...X?...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.861601120325766
                    Encrypted:false
                    SSDEEP:192:eRYCPu7X12kYBWYgSjfKO93fCrNeeMpSHs/VnYe+PjPBr7ahPO/d3BNJzr9ZCspo:uPu7BOwBe7MHsNnYPLxsSJeeMWU
                    MD5:836A443F664B0CA889C6A8A038BFCE59
                    SHA1:6F1B6949555DC145C27D1C546B73C514F054D325
                    SHA-256:B5B44B63E146992CE18EC3DC426FD02D3BC02D04593475D3DC13DC65A80755E3
                    SHA-512:2FE05B909A1368AF865C7B80F0CD8C3CD06872A6CE5D352E5B95D050B8BE593FC80860BA086B6F08894888F2DFCE5904180EFC40745FDF265AD74185EFD207C4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...q..S...........!.........D............... ....t*................................................................ ..O............0...>...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3da3zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.8962448044317854
                    Encrypted:false
                    SSDEEP:192:5RY4H8Pu7X12kYBWYgSjfK43fCrNeeMpSHs/ipnYe+PjPBr7ahPO/d3BNJzr9ZCe:T8Pu7BNBe7MHs6pnYPLxsSJeeMK
                    MD5:D9AFDA89291EE3A0FAD598A23D7C2D27
                    SHA1:1FE9AF02D1CB15665AB5775C4600ABE2221C9C58
                    SHA-256:64E1499E14B72B9DBC4B9FAAB9C37AC003B2273E2801604A516FA84E321FCE73
                    SHA-512:A93202CB287FF2DE221029B81042AE5C2C8B4F169821C060F8C84F9BAA1AC9D42172311845063E5A8B1A5071484F7FCFA127339B69C75D486A3B96C87C4A019C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...e..S...........!.........D............... ....@................................................................. ..R............0..x>...........J.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbede.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):32704
                    Entropy (8bit):4.5750635387546605
                    Encrypted:false
                    SSDEEP:384:TJZyNxjIGN7Hojwud4wzGEInMMPPitVqzUIBgK7hFnYPLxsSJeeMlK:TJZyNxUGN7IjwuYBf4q5Fs5Jg
                    MD5:58E68AD286AE9ABF3CF83CE28CCB16A5
                    SHA1:7F85862706E4F3A529B5025C62C9C84C8A38C651
                    SHA-256:36BD6E6D11485ED787A295EDFEFEA6D0BAA0F08A29BD0CADE6A1316155ABCF36
                    SHA-512:31B57A38E1E91071602B2CAD5E15C71AA8E58CF2B3873126A4B0FE13389FCCAADBBDB683541EE977983E023484ACFF24EB3F5179FA231EF1C2DC307E8E44D464
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........`............... ....s&............................................................... ..O............0...[...........f............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....[...0...\..................@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbeen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28608
                    Entropy (8bit):4.693968049108984
                    Encrypted:false
                    SSDEEP:192:Fjnnn2zC9gSTOulJQJtcnO5z7OuRExFP51QtWXpGWUSinYe+PjPBr7ahPO/d3BNG:Fjn2Xb41njinYPLxsSJeeM
                    MD5:B83878830A8307F0C87E1E8271BD0F43
                    SHA1:BA09027ADE221413ED220E1FF25AB454B289D199
                    SHA-256:C017D60B1F25E78C0F48FEA284E3EE01C4468AC1390138914FA48AC678732AD6
                    SHA-512:9981B1702634B32B220BDD88F1980EF6F88FAB8A9F5A8CE80B35647A35DD3465C57DC7FE12596D6A77033CCF1C6AD0656CED47E66C4CACFE1FF583ECC70B0EED
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........P............... .....&................................R............................... ..O............0...J...........V............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....J...0...L..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbehu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30656
                    Entropy (8bit):4.763007837828077
                    Encrypted:false
                    SSDEEP:768:UIjKcO454NUOQKEqDcN9Q53EOGthmYDDYNy4kaKNgWX0Tnrn+L+uLPXQTHrQs5J:1jKcO454NUOQKEqDcN9Q53EOGthmYDDm
                    MD5:7E7F8DD25DC841F55D37E141EC635E10
                    SHA1:F614CA446907E94185F8B4164F762D0B5B239B2C
                    SHA-256:DAA8BB311236B0A82A0CEE45440C3CE4548351E401BF2D8A1EBCA45F9A78730C
                    SHA-512:CD816F88730E7DFFD1639730FDEAE737EBFDD35B1259911439BD6BB4FE547FF98CDEA8AFB767515617AFA3973D13E37D716C5BC206C2B32F77D817740D54FE30
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........X............... ....@.................................)*.............................. ..O............0..$R...........^............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$R...0...T..................@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbept.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):32192
                    Entropy (8bit):4.583711340905021
                    Encrypted:false
                    SSDEEP:192:O3VKKAEKnMW5yL/u4xkMzwHBFtJZMxWiU7nYe+PjPBr7ahPO/d3BNJzr9ZCspE+i:OEKAEeMayrNzwHBdYYnYPLxsSJeeMO
                    MD5:96DDCBCBEAA270F5EC21BA1FDE34922A
                    SHA1:AC54F61EEA08EC12ABF5B9A2B3CCF866ACAD664A
                    SHA-256:C6A2866698597AE767F0F67792A0C1C7B28107EAB9B50E1580C602FCE5134364
                    SHA-512:E57136684C3A2078DC5EC5F84AF12E9EFD37A1ED0F5F6E2C3F89E0246805308265A137B2C811F32115DB9510C709246842AF9EDF030BDD196DA27E6D9F501D3F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...@..S...........!.........^............... ....?+................................................................ ..O............0...X...........d............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....X...0...Z..................@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dberu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):32192
                    Entropy (8bit):5.064263673323395
                    Encrypted:false
                    SSDEEP:192:JxwgLsITiloeuUMnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorFHXy:sgLVi2eufnYPLxsSJeeMS3
                    MD5:BEBADA63CEE7DE875CEB51B405362DE7
                    SHA1:BA0268AF51A1599F8FB017D6A34A377061F99EFA
                    SHA-256:100255BBC1585F26093984687C8FA9A3C8ABFA3C6DC87A7C3EB2D2EB2D13A9B9
                    SHA-512:CC1DC572BF010BEF24CD90EC3CB852C6C4EDEDC80C839554347B856AEC713D7DBD9E53AF771DFCBE388630203BE6F93C9337763DAD50AEA515424D7D3301C6F0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!.........^............... ....@................................................................. ..O............0...X...........d............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....X...0...Z..................@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbesk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):31168
                    Entropy (8bit):4.745238060100829
                    Encrypted:false
                    SSDEEP:768:rUUNnaxsy4fFCIcn9incBFCYuKN34Y9uFkIs5JY:r9Naxsy4fFCIcn9GcBFCYuKN34Y9uFkv
                    MD5:5673E501509218A04EB5BC5EA04E8DAA
                    SHA1:A87741522BA7916F23F37F4915637A021FD871C6
                    SHA-256:95884EABDFBDDC88EBB880DD7012D7F17B00D393BE10C9061EF8DF91B63641F8
                    SHA-512:5083CF328608703658A66D1516E8C6EF66BDEC5993C23AD4357F19B437DCB768CF86AD5CB4232C3C8465A89B43498AF649EA1AE31D78D17BCFA00C7225111FAF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........Z............... ....@.................................>[.............................. ..O............0..LU...........`............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...LU...0...V..................@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbesv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29632
                    Entropy (8bit):4.693710763048218
                    Encrypted:false
                    SSDEEP:768:LvtR63QMhkZDpZUGjic5/livgQYxAYmWs5J:LvtI3QMhkZDpZUGjic5/livgQYxAYm5r
                    MD5:8F8B488445EDBDACCA2C887DCA2FE901
                    SHA1:44CB7BE89AE078D1FF3106A17860CD2BC8F785C6
                    SHA-256:801CE8103A78B0733AAC206BA83D43DB948073B23B68567A9305606678CA0531
                    SHA-512:2EF9E5942FEDBF0E739EB2C1B3F45F474CC5E6F4658DCFAFE8E7962B2B1BC5795BAE8DD59C91E302635A2B91F6E6D3B68AFAB30108B8106F8AB379A40A20581A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........T............... ....a*................................................................ ..O............0...N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20416
                    Entropy (8bit):5.932472136446087
                    Encrypted:false
                    SSDEEP:192:RF8uqZXZ++U9rD8U8nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorKqRo:RF8/++UVY3nYPLxsSJeeM
                    MD5:E5DE5680C053BC9F9A6CD08C303F8E65
                    SHA1:7BC71C960CF766CA11B3EBFAEC5E0D0979FB0B68
                    SHA-256:71F8F40A403A78086BB695AC0B4C428CA55B00E5ADFC378F06CEDCDD319B590A
                    SHA-512:478D87B59D93E6345DBA5037BF8B5AFD60E095BA67C566334971C2CD39D519DDBF09369CECDA010E3414A675B0E0B0268CD789F7570581B1968896AC3A733A62
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........0............... ....@..........................p.......*.............................. ..R............0...*...........6.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....*...0...,..................@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbezh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20928
                    Entropy (8bit):5.853953249287859
                    Encrypted:false
                    SSDEEP:192:9nZU6jH28+FmoGF/zV3VzUAgnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMorfwuA:9nZfjHYGVVVKnYPLxsSJeeMu
                    MD5:1AD7AA725DE2740CF0CD997821ACBA68
                    SHA1:49FE01C78500529C61A9DF1D7AB6A70DEFDD4C55
                    SHA-256:ACC16085AF1C04E89B83E6991A607A78E1DA5626D9920012FF849CBB555286E8
                    SHA-512:5605D53AB0A10EF0B903F4D431553B9F4186519E7F7122B6B2197E1A8ED0BE8AC9C8E2DC913C31906CBAF85AC77F1130C19C0809430B5482790C223DB65A1B9B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........2............... ....@..........................p...................................... ..R............0...-...........8.......`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....-...0......................@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21952
                    Entropy (8bit):5.0392208817196495
                    Encrypted:false
                    SSDEEP:192:r/ugUdBC3J4vV98yM2PKvf4dOGYUB3+3yueOaaKrBnYe+PjPBr7ahPO/d3BNJzrE:0CZ4998yM9IMXUPOKVnYPLxsSJeeMf
                    MD5:40B794366293A89383813F2F33522A56
                    SHA1:006156D2CBC5A88DC69E4617996F1658840484B1
                    SHA-256:1B6C7AC7524291DAE24B18D516ADACED4CB3AA60B16DCA767999CB4264AA20C3
                    SHA-512:5C9C1793D2B8FD64773AC25A4B8010D5D6C3AE0E1734548C7D4C9E7C55F4F94B241FB9FFF212B0B0681A409B4B8F5907F138B5F87ABDDAFE090CB8CAD8BA5553
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!.........6............... .....(................................................................ ..O............0...0...........<.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....0...0...2..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22976
                    Entropy (8bit):4.977329167776436
                    Encrypted:false
                    SSDEEP:192:eBn8rsAVBvhRJikTmzMu76LKYe72I9laaD/jY/VKrbnYe+PjPBr7ahPO/d3BNJzy:/JCCUfWcQKPnYPLxsSJeeMMbPa
                    MD5:12D066A444F1C6DA52C15C16D9C755E0
                    SHA1:6D22946219E2390A8D1531C74D7CA83C237FE9A9
                    SHA-256:49C081C396198A8B870F5452FF05363F98BA285E766E6EE4C1353D7537BA6AD1
                    SHA-512:648AB1F7CA0ED89223029846020A343FD332A37FDFB07618995DB4B373F5218A0D60726EBFC971C5ED493B044810165297A148CB868B98432A40BE6A1AE48F7A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........:............... ....@................................................................. ..O............0...4...........@.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....4...0...6..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):4.88471797655691
                    Encrypted:false
                    SSDEEP:192:DyNwyZmJ+mMnvJtmzOiK1J81qN7S7f4tIGAFJPi4cDIdkdbf7hXeJe4Bqm4yIu0w:ZOmza8ww4RoxqhT4KbnYPLxsSJeeMT5Q
                    MD5:7BA02FCDA0C04A662538F1EDFDA32A2B
                    SHA1:C6029EEB3F65D2ADCB6C31FC339CCEDD25B131A4
                    SHA-256:D6080F19C9C1E221945F36CDF3DD067C05DA69B5515566282FB3607584A1A9AA
                    SHA-512:147090B825481A3F2DE433BC65BFAE62CE7C7F3063AC1CE51C9E2A8F5D609180342A140EE8CEAA56BB4E59445B96C10F0B836BCA9138669BCFB6DA7FDE5701A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........>............... .....(................................Y&.............................. ..O............0..89...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...89...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbthu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22976
                    Entropy (8bit):5.016985582329065
                    Encrypted:false
                    SSDEEP:384:0SclY/KPV49hfm9m1XucbThQaAD/eFvkKenYPLxsSJeeMO:0SclY/KPVuhfm9gXucbThRAD/eFv1esR
                    MD5:32AABC75AAB358B3A4EEC345D3EEA4AC
                    SHA1:17C1FC6CE17F8CBBDEB0DEEBE89CC242AABC4C61
                    SHA-256:FAAD730272AD50D15A1745A67BB32BAAEA57F8FB320751EC47830199CAF3BB2B
                    SHA-512:7F5A551F3339D950A986A559DC9A60FF83E7642C3FAFCA19573982A190BBD9BFACFDF004A32831433B0D38F9234EEAE3935FA4F9BC31CC375C3C2A9C2E791D6E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...2..S...........!.........:............... ....@................................................................. ..O............0..x5...........@.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...x5...0...6..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):4.931431616956078
                    Encrypted:false
                    SSDEEP:192:vIKmxQ2RhfXaOzcYHjlciXXvITReL8sCqEd5FendoOBhnKreMnYe+PjPBr7ahPOx:gzrnv581JxkKvnYPLxsSJeeMRLZiR
                    MD5:1D72E938FD5256DFA3A9EC89651E0C27
                    SHA1:B9A00735DC21BA191555492F578A4FD9F05C1476
                    SHA-256:90DFFB169275497B8C4FA6DEC6E4C04765F4240C7D8E920E478C6B6F8CB10940
                    SHA-512:421D33D24EF601F5E48A379B40951A8F79C4C49E834786473367ECB5462B497B3C61B0A5F1BFD8BE85C3D654E267614917637DB89C9523A24202272F0188D982
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...|..S...........!.........<............... ....B)................................b............................... ..O............0...6...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....6...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):19904
                    Entropy (8bit):5.8115768925992075
                    Encrypted:false
                    SSDEEP:192:6AmqztoGiDNV5nhjyZwzNAgxzhtylKrQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMb:sE7iZ7nhjyZwVxzn6KEnYPLxsSJeeMww
                    MD5:F2CCFE29FB2F6890F4A28583FE7C73DF
                    SHA1:7C64F52BBD1BFD7A2B312D0B30A7372915F40A77
                    SHA-256:E54CFCC6DC34E552818D940C8AC0101948106790A37E551DAAB2C48D75936D9C
                    SHA-512:72879D52880DB5D7165E20D68F1395762D7A69342B98F3BB9A07A84BDCEA5C9FB56C4F30B36B41486FDC73321C568291E559DD7C4872D127D26E8E74D3690F16
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....u).........................p...................................... ..O............0...(...........4.......`....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....(...0...*..................@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22464
                    Entropy (8bit):5.037346669664827
                    Encrypted:false
                    SSDEEP:384:CWm2GWm2GWm2LI+2eI3FWP/H/7ATTgZbjCpCKZnYPLxsSJeeMo:w+pI3FWP/H/MTQHGDZs5JT
                    MD5:9AB393DD350A51110C1C7E8420A40457
                    SHA1:A0C3A771F59A6258839E8EC655554034B17BD37F
                    SHA-256:6CE6CCB5910038992468A7521BEBAE4D08D37A058B5EACA1449937E00C42CEC6
                    SHA-512:4CD5F09AB6958106D93D3D85B8082205D00EEFE97F54BDB7514192776C48221057CF966A93E6D32413D438BF262552FD6AFC509DFCAC3E55721212A2DFFED7F5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!.........8............... ....@................................................................. ..O............0...2...........>.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....2...0...4..................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):4.924240443504452
                    Encrypted:false
                    SSDEEP:192:DckTop2Pfd13u3rx8OiG0HS7JEekGLGcuEqkgXSrXKrenYe+PjPBr7ahPO/d3BN3:DdxPV13u5LLFlN1bKinYPLxsSJeeMFg
                    MD5:995FDCA734666B692576AB4D5B851012
                    SHA1:CA27B219B18199567896F5DDC4DBDC2BECDAAE78
                    SHA-256:362416C50D7F77240016A86BF5CB29B123A6750CE39016F496672A98DC3D1BA2
                    SHA-512:842A9F4872D1C582B96DA48349C5DE4A730C4E7300BA63217B3CE8CE1185E58AFC661F176A30DB73C4348858AFB5F48C68CB76154C2818D087ED040C4E93E314
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........<............... .....).................................Q.............................. ..O............0...7...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....7...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):5.01712628699081
                    Encrypted:false
                    SSDEEP:384:Fc3koYA2H5m5qtYwhF7TqfKVnYPLxsSJeeMyu:Fc0oB2Zt5f5Vs5Jpu
                    MD5:142DAE98BB076A59522826B3BDA2E361
                    SHA1:C5D53959927D507B5CD249582782E0930F36F40E
                    SHA-256:99198CDAB00CD405DAED310107BAD6B5EC60E8E20CFA28A35F8E6CB5B6682561
                    SHA-512:0654F3B6D583ECFC13013ACA4C24E46618C59F2E552D3041CEC8F69F000EC0C264833F7CA4B667855BA29C5D5E700B04348922791268B6BA2F66427A847DBBD5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!.........>............... ....@..................................I.............................. ..O............0...8...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....8...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):4.958848078993383
                    Encrypted:false
                    SSDEEP:192:V5VYsjc5Y5nVHVrk0C4eYD0GtKrznYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrJmI:lHr1rKHnYPLxsSJeeMxI
                    MD5:B9BC69CAA44EBA29EBE8A54FBEC3BF57
                    SHA1:0A357C52B8003394951001B6B63A8FAA89D3CD00
                    SHA-256:F424F79F01B0AEB53BA5F796EE5C78306079AA0F870BA22B07EF6A8B5098DED9
                    SHA-512:E65857AE1200ECD2CFD350119854DBDA0DE08610F1A792F7D638795C65C7111E6D00AED4BA2A38784D8E4191F560EDF11992A8DBD6EC214D058FC5DD64994674
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........<............... ....v*................................fc.............................. ..O............0...6...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....6...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):5.046937410443876
                    Encrypted:false
                    SSDEEP:384:go7HArXmdFhofbzRyAAAOt+X2yKGnYPLxsSJeeM9/:goEGOlOXTGs5Jq
                    MD5:B19A6C5D1322C860EFB28CCF8ACFB7EB
                    SHA1:A605675251C90715DAC09EFB0DDF069631F2DD5C
                    SHA-256:C07744586C1B8CB808A3E51AC5193079FE928D3145CE723A5C2606D2CC940D3E
                    SHA-512:09B1102629762A911F3DE6837763D0957ABBC9C93D8336C41456CFD296A155FBB0CDF99BDDBBBA279D1EAFEBBF60C8C3A09765A9CF56EA1C165478D8AE7366D6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...A..S...........!.........<............... ....@................................................................. ..O............0...6...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....6...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3dbtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22976
                    Entropy (8bit):5.002343378077898
                    Encrypted:false
                    SSDEEP:384:rq7mjNg/qVJs0hRmOC9kV3iHaDlK7nYPLxsSJeeMN:rq7mjNg/qVJs0hRmOC9kti6E7s5JW
                    MD5:DFF0427E3032386F28ADA5226948EDD3
                    SHA1:6EFCDACA805E433C672EB57C7970788B6590FC6A
                    SHA-256:4FF42A4BFAD0C10D29F85844EAA397684CC176454FCC67ECFD47FC8F8D615C3F
                    SHA-512:DAE394604FDE47196E7C5C644C7CF3FAC3BFC4CA383CCF2C13A54048FE3F19A440A54CCE6B3425C38EFB03F4E3FDC7D401F2D6F009B4DD192015CCFB6387B150
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........:............... ....]*................................................................ ..O............0...4...........@.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....4...0...6..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.90496284262094
                    Encrypted:false
                    SSDEEP:192:AwPu7X12kYBWYgSjfK03fCrNeeMpS0gZInYe+PjPBr7ahPO/d3BNJzr9ZCspE+Ta:nPu7BRBe7M0XnYPLxsSJeeMzPD
                    MD5:3457BBE267FEB2FEB5DC4136F54EEE8D
                    SHA1:5D0030509CED9756064E3A572D3A3C3DEC651F99
                    SHA-256:10971069A96931B1AF6E6D850478721C932A10185B7E716F8F754D0154DE4A1A
                    SHA-512:5F730CDBAAF0EC35C64B3053FEC0880D532AD43E3B4C58B623DDA5BE1FAB3F2ACC3F3218DEFAF68D8BDE0B0A9AF6945725C548E119539EEB016795E57F67D852
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...b..S...........!.........D............... ....`(............................................................... ..O............0..$>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...$>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.897402707240797
                    Encrypted:false
                    SSDEEP:192:9OOxPu7X12kYBWYgSjfKei3fCrNeeMpS0gZenYe+PjPBr7ahPO/d3BNJzr9ZCspp:PPu7Be/Be7M0tnYPLxsSJeeMPFbU
                    MD5:40E61FFD1C059E2267DBA1C557DFAF3E
                    SHA1:193D9841EBFBA1BF4CC1593C379D3A1CA4C5D582
                    SHA-256:CF7E3D547B632D3A4DEF4052CEF8B0ACB775EE75CCEEBFAEA8009B2246F0560D
                    SHA-512:E1F6376E8022255526BE1999D2A2A8FB776B91D57BA93792E8B0E300F671AB58CA0F5629E8E609481B1F7C6B533739EBB71568E94826F5FEC05F9D5C7D1CBD56
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L..._..S...........!.........D............... .....(................................Y............................... ..O............0..T>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...T>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.9042339819635865
                    Encrypted:false
                    SSDEEP:192:wG24APu7X12kYBWYgSjfK103fCrNeeMpS0gZBnYe+PjPBr7ahPO/d3BNJzr9ZCs6:wX4APu7BXBe7M0CnYPLxsSJeeMja/C
                    MD5:643C8447A31F5DE55E364E85F53A8066
                    SHA1:1CA4D9E41DAB5390FB84D3AF3B291875FF9C54B2
                    SHA-256:5600D0D81DF306535CECE3457CCA78424B561B5432A3EC563EDB1D26A7BC3235
                    SHA-512:14FF52BADD41C93B315A6D015724A7D6DD8685B4AB4A866FD8C67770AE0055AAEA39AD13ECF1B4476638B580FB4DA7A2FDE57AADD273AFB71870E9B4423DF204
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...p..S...........!.........D............... ....))............................................................... ..O............0...>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25024
                    Entropy (8bit):4.856255214068369
                    Encrypted:false
                    SSDEEP:192:3FZ1xVXZxPu7X12kYBWYgSjfKlF3fCrNeeMpS0gZEnYe+PjPBr7ahPO/d3BNJzro:H1HZxPu7BloBe7M0znYPLxsSJeeMWc
                    MD5:2FA84258A8377F6AACBCDB113A06ADDF
                    SHA1:5856CF75474B258CFF1DF367A633C1EF7E0B5B3B
                    SHA-256:E1EA295D2DF670733D4E9D99EF5129CEDBFB7B5090F3CCAAC6EF647AEFAC9B48
                    SHA-512:4E757EE06A2A21391BA1202D5B8412A1679985D060C8FE3AF737337B90E282A7319D4D75EB3217C7552AC5709173EF99B3021FE4FC4A7D80B95F5F7E073C6974
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...|..S...........!.........B............... ....T)................................................................ ..O............0...=...........H.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....=...0...>..................@..@.reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.903483361111267
                    Encrypted:false
                    SSDEEP:192:YzEPu7X12kYBWYgSjfKE3fCrNeeMpS0gZwnYe+PjPBr7ahPO/d3BNJzr9ZCspE+E:kEPu7BhBe7M0DnYPLxsSJeeMtz7r
                    MD5:AD4F84ADBA366675EDCE29433D944D27
                    SHA1:5E3BB697762E59313A6382D98451D0A8DC8AB712
                    SHA-256:C74D9F26EB2EC7E937C6C8C09AE69D7D362D0876E34066E11EEEAF955E417AE9
                    SHA-512:FE8E5DC6693A69D0EAD757873853B5F05B0C0213BD0E62A2C9DA33A0A051D951D55959B1D0A4CB5A53C733493518126E4B324AF2AC961105753B618F68079792
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...s..S...........!.........D............... .....)................................j............................... ..O............0..(>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...(>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.905921086931785
                    Encrypted:false
                    SSDEEP:192:3mnnnZuPu7X12kYBWYgSjfKM53fCrNeeMpS0gZNnYe+PjPBr7ahPO/d3BNJzr9Zl:2nEPu7BMUBe7M0GnYPLxsSJeeM4l3L
                    MD5:946AD84BD373189BA71526E0C4EBF0E1
                    SHA1:F12EC8EE990DB344D8D56E3865E70A713A5245CF
                    SHA-256:A7C5C813E306C17166C88697BB0E223AB391724D2FC00D28CB26B1FEEB5568E6
                    SHA-512:F5422CF2C4E2A0F2AB454D3E8FABA04FBFF38C75EDE3A68E0F01667FC871BC260A37590D5E4446F7E30BCAACC1A41B3DE30AB3ECB6F60F45A524394B85BEC45A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........D............... ....@.................................|7.............................. ..O............0..,>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...,>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.919654834087497
                    Encrypted:false
                    SSDEEP:192:sqPF6Pu7X12kYBWYgSjfK1P3fCrNeeMpS0gZCnYe+PjPBr7ahPO/d3BNJzr9ZCsP:bd6Pu7BcBe7M0lnYPLxsSJeeMNNUEK
                    MD5:2F5BBE5305CAAF031AA4A76FC3C157F7
                    SHA1:57DECB48EDACF36902109DB0DF19616586957C10
                    SHA-256:53AF18B93F30269E1F43C76F6798C5862B3D699383D8C04CFDD03C201632B80A
                    SHA-512:C0CD61E39ADB4F69B15E5BB90D6C8364E33EC919C9848B15C1696B585F3524C7992D5B49383B9D7D5607DEBF9B1BE044EDD7892DC5378D2260E386B477DA0693
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...w..S...........!.........D............... ....@.................................V............................... ..O............0..D>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...D>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25536
                    Entropy (8bit):4.904443227334458
                    Encrypted:false
                    SSDEEP:192:IQPu7X12kYBWYgSjfKMF3fCrNeeMpS0gZznYe+PjPBr7ahPO/d3BNJzr9ZCspE+H:jPu7BMoBe7M0snYPLxsSJeeMtU
                    MD5:B810A584B40F6518C4BD47729F0A5292
                    SHA1:5AC8B6D6BBDA46F2DABA42E608CE00D5E5E8F02C
                    SHA-256:0120C8A1561993F86FCE8D02E6A188535B315FDEC10A0073501A7DDE7554E357
                    SHA-512:117883354416BDCA72E2386E50E976E1433AFD69A1203A23F3E1EF0DAA51BBF47B39E99799F66531D0F6A08A9CB81018B526F34737FE6A03B86B3A7DF987BADC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........D............... ....z*................................g............................... ..O............0..$>...........J.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...$>...0...@..................@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ra3zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25024
                    Entropy (8bit):4.850073295771565
                    Encrypted:false
                    SSDEEP:192:JR3nLaPu7X12kYBWYgSjfKn3fCrNeeMpS0gZMnYe+PjPBr7ahPO/d3BNJzr9ZCsj:JhmPu7B6Be7M0TnYPLxsSJeeMfPy
                    MD5:6863D95AE6C498A0FF0E4C67B04F75DD
                    SHA1:AAE03860182359DA5218FD76D4EE6A02F4D8697C
                    SHA-256:C53836E3C4968FAF1AA08079A49FA04801AF9575629A84292558C6CC01D06288
                    SHA-512:6F5598EEFA3A52D5B2B5D75865616A6F3C26393963E98B941719916AE540A247C4B7604ED06475A468626116D2354F1AA60722B3EDACFF3CB4AB22DC4A69D05A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........B............... ....@................................................................. ..R............0...=...........H.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....=...0...>..................@..@.reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29136
                    Entropy (8bit):4.9692860446142975
                    Encrypted:false
                    SSDEEP:384:IYmA/Zf7cj8yWK9lRlih696xstnYPLxsSJeeMKK:7VyWK9lRlBAx8s5Je
                    MD5:A59F99428CF49A4191B97FF0A269549C
                    SHA1:79C2AFAAD249092F5F8172F353B8AB25E109E38A
                    SHA-256:EF1B69ADE8B08D5A74A8829D933FA07AD5470A58E428E26C7A362006B9D0AE67
                    SHA-512:808FBB9BE16FB2DB74302C29F13742B656AC9D53069648C57A92AFA927A574CA3DEF7A08173EAD5DEBC9A5CB0C0D169A31F0CE905B895B5D7F9D099A3E13EC24
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........R............... .....'................................,?.............................. ..O............0...M...........X............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....M...0...N..................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30160
                    Entropy (8bit):5.000221451339399
                    Encrypted:false
                    SSDEEP:384:gOzDiR8+6cjN9lRFArfvs6nYPLxsSJeeMFV:9+39lRF+vs5Js
                    MD5:80D0B3B8D7F8EA597B3B09DD61872C11
                    SHA1:9ED0D420A2A0B97F89851886E6B59088534E1E6B
                    SHA-256:C3794B358CE1A17FB6FEC66E45A3D2901E6CC7730203C094266358A9B6F60F79
                    SHA-512:00DBD9B882B1CF14969B34EB19E57671D9235DA4A176DD80B3E2B16F1B4489C0BFF015EE072E5ADA9F42C924F7E5C6B440C5E469779B41011C76A7D8CE6178A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...6..S...........!.........V............... .....'................................................................ ..O............0..8P...........\............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8P...0...R..................@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siffi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):5.004397668489623
                    Encrypted:false
                    SSDEEP:384:s2ROBPEFcj2I9lRl17xBsknYPLxsSJeeMoO2:Nm8FI9lRlJRs5J17
                    MD5:B4CB0A768014349E6B9D94481D625C31
                    SHA1:9CBD8412DFFC288255F8BB532771AC4648DB3549
                    SHA-256:049EF110587BE253494ADB69563A17CFA58D893EFD4DD0B42653D466559FEB72
                    SHA-512:5D60536249A8DB24CDE46F5903309F6C7162A89681216992A336B0D23D9375A8FDD0C7AD6BB20809DD3CD2A0C2457BEA0D5AC0E16A4B8D99A49C2728D3F7EDAC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!.........T............... ....@.................................p............................... ..O............0...N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):4.998722582234436
                    Encrypted:false
                    SSDEEP:384:ErT3B5RNAhbcjw9lRFKeO9sYinYPLxsSJeeMz:qn4B9lRFmtis5Jc
                    MD5:752169273A925C66FAEE77605B8531B8
                    SHA1:63A095F687B5AED22A022B362D7F795F76AFEFA3
                    SHA-256:3FE759CBD3C78213C34602CD987CEEA0AB4719574245D33AFDBF22E34C230687
                    SHA-512:E51986AC5C6A59BD157C155FCD04AA5BC2ED212A6496F3C95EFD4427C25D4E8A6D250527C10933BEAF748FE254A0A6EBFF27DEBDD824B4E0F4BB9D1B4D0E2AD7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...N..S...........!.........T............... ....J(................................]............................... ..O............0..|N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):5.007682826350436
                    Encrypted:false
                    SSDEEP:384:GjzMcs8Mcs8Mcs8Mcs8Rhxm2Rhxu69Xd5fjppR4LcjD9lRls/sznYPLxsSJeeMEQ:6Xd5fjppRv9lRle+s5J/QX
                    MD5:1CB9C114290F468F26CB4F36B4FFAD7C
                    SHA1:301358B4E1AFDE3725E3AD74B465DD4CD05E8B7B
                    SHA-256:50D0CBF4D8551660A9069F1BABB3DEF43B55864F4DEDBB0B9863513C3F108FCA
                    SHA-512:5E0DADEF235B551668F0C8AD040CA4E63B1DBF409D72C20000A291B4A84F7494042B24CAA2941F472BFA941E623507BBE16E46FDAEA0B5FBB83BF5A4BD367C3B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........T............... ....@................................................................. ..O............0..\N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...\N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):4.977317577920436
                    Encrypted:false
                    SSDEEP:384:ISQ0tX6ycj+t9lRFrfgqsXnYPLxsSJeeM+V:Jt9lRFzus5JPV
                    MD5:0A44AAF8D44CCD4B40799AA1D7B35771
                    SHA1:169293733D72333A5887296C1DB36B6DD70413AB
                    SHA-256:BB9B7BA17F89A64910E5B9EAD0364A7C74E4080F2901AFCB9BFC005BBF70F827
                    SHA-512:C441D5F01AE844FFC03341976B7217E286C322170A39CB475E3F5AB164D9CB8008E227604425B333B1279947D3159D308C758ACBEA714BF6C302C396CD2E9C73
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........T............... ....@................................................................. ..O............0...O...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....O...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):4.995348720926803
                    Encrypted:false
                    SSDEEP:384:pExXcj7IvT64RB4cjt9lRFFsfXfZsSnYPLxsSJeeMOGM6Gg:aXcj0r64R79lRFGvZfs5J9W
                    MD5:DAACA93254D21F347A385CC6398D91FE
                    SHA1:7CFEAB79E9D02B8E5D8DD0BFC397A49BF5E9423D
                    SHA-256:43B5EDD377DFD4BF49AD5CBFC0AD6DC76E51EDED6FF7783E6F1298B8C14DA72D
                    SHA-512:7374BF5FE1BBF49F2E8F41748593719DCD363D0E1C2E9C2BA1D5BB766AE30EB2C3406C31523988C8421F096EE119B5539E0CDA28F5BD8A2F78E8912C28E30538
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........T............... .....*................................R............................... ..O............0...N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3siftr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29648
                    Entropy (8bit):5.0197204689792425
                    Encrypted:false
                    SSDEEP:384:L247HzO3zh4uOYcjY9lRlwDsinYPLxsSJeeM2PurT:6GHzO3zj9lRlOzs5JlPurT
                    MD5:CB957DA67F1EE9795C0029B3581E4659
                    SHA1:5A824C69C8C6E52E4560D8178195A70781543A20
                    SHA-256:E7A549E98A96D9C7C0E077287F8CA1FAEFB9E1D8209078047C51818AA2F30730
                    SHA-512:BECF8D6B2F6363D8019E2EFEB618A86C352129809EB0D7DFFEAA22B761EB31668F956C7F9711BE698BC07FBAC30FDEB6F10B5D6B34960489C8434D2CC1576147
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...h..S...........!.........T............... ....@................................../.............................. ..O............0...N...........Z............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....N...0...P..................@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sifzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28112
                    Entropy (8bit):5.073638013256542
                    Encrypted:false
                    SSDEEP:192:wGROuzckQLmwcjUOG9lRF8JXbqtMksJnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMoR:w4JQywcjY9lRF5FsJnYPLxsSJeeMamY
                    MD5:53BC7C0E2A385EE82245A609B657453F
                    SHA1:8FDCB7DDD5F500AE0C8746FF208FDD3FF4223921
                    SHA-256:59EB626637F45E1F01F5C6188338675484976C374F6FDD935B67AD56467344B3
                    SHA-512:71BF39A67379F71ABBF4BCBAD58FFD2CE6503F2F62117D1E9137E4F6E446312F515C47B76FC3B278FEEBE908383EB610286804374594C926729F64D5A7852114
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!.........N............... ....@................................................................. ..R............0...I...........T............... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....I...0...J..................@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80344
                    Entropy (8bit):3.8747216231937727
                    Encrypted:false
                    SSDEEP:384:4ILbtvvukPu7b3V5STMtKDp7d6xUC/4PKDuKD2t3pOhB9CrfBe7Mg4nYPLxsSJeP:4mZGZTXWd6Oi4FpOZCrfMwg4s5J6X
                    MD5:BF816061DF80745BAB76B07612BD125F
                    SHA1:EBBB5C84E4183869CEC2F5104698C76B1993E83C
                    SHA-256:D1F1B1EC903EE07DD71A802A49C10E592B81AD136A0F4300364020D818F8C881
                    SHA-512:517EFC719B85FBA9B1C5C443CFA1ACFAC2E8B9D1CAB0DE8A2B81225E567E9123A77450099DC5EDD473CAEFBC3F06716EA7EBCC097B26FC78CCB17834A3AE76A5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...c.S...........!......................... ....2%......................... ......Q'.............................. ..O............0............... ............... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc........0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souhu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67032
                    Entropy (8bit):4.44577011532844
                    Encrypted:false
                    SSDEEP:768:nmGrtTXWd6Oi4whYcZZ2DXsRyQynWN/OxMwgIs5JlX:frBWdjqYcH2DuyQx8Mwgz5Jd
                    MD5:B8D7C37DAE46F6272B1F3AC6B2FC505A
                    SHA1:31E517694C968274AD0BDE32F4014A617E3D346E
                    SHA-256:634D1A7AB2FA04A844F1391EAAEAEDDC00166ACD142D5FBE560013B0D2B29B37
                    SHA-512:4190509544ADC7115FDF4E3A535463F3C94B4CC937A33B1E9E77AF7902B7ECE1F3278D2430FCF5E6C1B3992063E7DD42948EC5C621B38AD692ABC53943924CFA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...W.S...........!......................... ....@..........................0...................................... ..O............0..$.................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3soupt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67544
                    Entropy (8bit):4.406850487242424
                    Encrypted:false
                    SSDEEP:768:QmUhjJTXWd6Oi4mN+7xhtGPC9MwgSs5JRe:qjtWdjQ+9MwgF5Js
                    MD5:29057ADE3B3B364B2ADFBA0971251968
                    SHA1:603DDA1B361F09D2C96F56540FEC66939C94EF16
                    SHA-256:CF4860C8C3C477C0072D6D06361A050C1F26209A9A3D7D50C2DC52F0B033AAC7
                    SHA-512:D9F6FA9A6568E8EED1A63A07318D6CE0020222B2199A306FB40B9D90F04D31549BAF3BD2E7281343555CA2E03911502FB5119A2AEFE37395D5A675E84705F600
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....[*.........................0......"@.............................. ..O............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):67544
                    Entropy (8bit):4.704858741624126
                    Encrypted:false
                    SSDEEP:384:dILb9PP+/qdyPu7b3V5STMtKDp7d6xUC/4PKDuKDvEkhkr940xtU47qfTVc27nMi:dmJWCdTTXWd6Oi4eYgkSHMwgus5Js/
                    MD5:7024610335D0E881A7990F31316FE294
                    SHA1:8298540E5019B25AA8A91B0628AE4EC260E357E2
                    SHA-256:AC7D7C693E3ACC0F5ED50C2C9001A69A0B51C657AEF4484C6B5C5E62BE7215F4
                    SHA-512:49AC55A957573115BA8636534F520FAFFEA5B23066C53BA9D8CCD7F42CE3EA264B728B131FC817D4252A18EEA94E80EC8F9D39EDDAF59E9B2A90242EE980521F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................0......4............................... ..O............0....................... ....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80344
                    Entropy (8bit):3.8395499427457818
                    Encrypted:false
                    SSDEEP:768:0mrYOWTXWd6Oi4ccBPx42rHgS5e8RzMwggs5JqH:rYOEWdjucBO+e8NMwgL5Jm
                    MD5:EE5E0B2E010893DDE9DB1E4E26A729B6
                    SHA1:2EB963F4DFB39A23E306F71CA883384D19B4E000
                    SHA-256:D4314C369DFDDAADC9CCDFCE6D686139F26D63EBD2DD1A455262E7E5CCA220F6
                    SHA-512:4E9415EE3B93E299D0900CC1B65FDBDF3A4063AD2FF09C29107FB03EBCE5583494918D79E5E43C8CA2918C9D2C8D2C888A39E3D650930C64A8BEA31AEE4B34D1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...d.S...........!......................... ....@.......................... ......Q............................... ..O............0............... ............... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc........0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sousv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80344
                    Entropy (8bit):3.8490740588187626
                    Encrypted:false
                    SSDEEP:384:cNILbVn7HHy5ykPu7b3V5STMtKDp7d6xUC/4PKDuKDvpRh9UJfKw0WWlK2jY4K5j:cNmBbS4ZTXWd6Oi4It020cpMwgks5J9
                    MD5:3C27CFBC74A53EBACEC82AA257262EFD
                    SHA1:2F29866EE9FE58DD67874AC9DBE78AA875E83622
                    SHA-256:148B1BE5CBAC7F8B73232164CA06B49FFCC97CE7B06D1F63EC11B004052CDA66
                    SHA-512:279772AE777E6CEACC6FDE5EF5E37CE31850E1B37B66C2B56F8C4CF33E2ED7268043BF3E5BE75A37B917BFC323104C8F1D2175CD10B5A171AE606FED3331C26D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....|*......................... .......r.............................. ..O............0..,............ ............... ...............................................................................text...&........................... ..`.rdata....... ....... ..............@..@.rsrc...,....0.......0..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):59864
                    Entropy (8bit):4.594919313031705
                    Encrypted:false
                    SSDEEP:768:xmYdHTXWd6Oi4zrrDKK6CtE8WMwg2s5Jz:nd7WdjNrrDKK6CtE8WMwgZ5Jz
                    MD5:B9E5095FFA68B305FA15E7671F51F133
                    SHA1:A9A61AFB70A03DE8E6180EF14D53281DC2778A58
                    SHA-256:F091EA665DF8597A0658188ACA1BDB0A285C6F6765F0B4ACE4869AEC76D013B8
                    SHA-512:9BCC38CA6F3951F4CBE242EA2D1C7FE877C1B7316642390A2F3D58A4BECD5C01A566A73506D023CFE7F45A04253136F5FBC13E0D3F0C7543110D66895CCF057C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@.................................q}.............................. ..R............0..l............................ ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3souzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):59864
                    Entropy (8bit):4.591039891697076
                    Encrypted:false
                    SSDEEP:384:+ILbYXXJbdPu7b3V5STMtKDp7d6xUC/4PKDuKD3vWw3PjBe7Mg1nYPLxsSJeeMth:+mMZeTXWd6Oi4gvWCPjMwg1s5Jkx
                    MD5:D07B1E600666C842749B93C37665E4DF
                    SHA1:FFC27279E153389160B7DAFC1995DB837C2CAC3C
                    SHA-256:237F14E1F1A25832CCB69B9C69CC2DCECEBD1FB143B049095DCE3783E057DC7C
                    SHA-512:A3C23342100815D08550F8348FC9298210977E7D70D1E6DF82F23BF9738760EF862425140AABEDB122DB04C6F6EB8BC8EA38AF162FCD8C9FCCE3EF3A77407590
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@................................................................. ..R............0..|............................ ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ssten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30160
                    Entropy (8bit):4.95901424303462
                    Encrypted:false
                    SSDEEP:384:zCSqP57ng5CPQKGhlxldLNwYrwnYPLxsSJeeMNPUo:NengL9hbldLfUs5J83
                    MD5:74FB6F068A08046036221640973A1972
                    SHA1:69C2290ABE93436494B8FECA0CEC977E6A7FD5BC
                    SHA-256:7A5752C0D9167DA822787118580F01AFDFC610AB6BCAB9992586BC5DD664220E
                    SHA-512:F9E02F9C684844DB35C7827C529791490C2FB2754BF1011F7621E071BCAEA83B8E892220AB0ECBEED8C532458B004F69CE0B4A39579595F69F41266797AC2F6D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........V............... .....(................................5............................... ..O............0..LP...........\............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...LP...0...R..................@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30160
                    Entropy (8bit):4.9293675668391845
                    Encrypted:false
                    SSDEEP:384:MkSCtPZOgXU6hxlemLNyYrvnYPLxsSJeeMp:4WBOgXU6Hl1LBDs5Jq
                    MD5:8C79A3700475FB57436973E4EBB9C20E
                    SHA1:FB419BDF4E4F1DD1E3AFFC8477BAC20C65E7ACA9
                    SHA-256:6E2D105ABD428542C1314F28C0C1CD44EA6E9E1311FE3AF42EDCCD4C2D0DF7C5
                    SHA-512:C20BA354EACC939954F35C6530C5C3ECDA7A880D283AAD8A042CAD6F086099C22EC6E77EF4502E4EA68536A25536D7382DA8F6A4EE688EA17A59E0D5300EDC93
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...`.S...........!.........V............... ....@................................................................. ..O............0..XQ...........\............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...XQ...0...R..................@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3ssthu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30672
                    Entropy (8bit):4.959426091463037
                    Encrypted:false
                    SSDEEP:384:x7SEmIRQgDt+lxlILLNgYrznYPLxsSJeeMAXNi:gEm4QgDt+blILLvHs5Jn9i
                    MD5:5870B7C48F826F222581B76738DDB32D
                    SHA1:4458E1CD7CE96674BE3973BD9D15B2E39D861991
                    SHA-256:6859551D8276DC6151F29B219010F7739EC79485C660F931F5FB3E21464CA158
                    SHA-512:53BCA7E71CE724632F3D5A1FEAE26BE2CC960AF1D4E8047F787E617B5599A2220AF24A95E4A0EBD4E4810B569C2BB022F6FECBE26D4A52165178B8CE868CC97D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........X............... ....@................................................................. ..O............0...R...........^............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....R...0...T..................@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30160
                    Entropy (8bit):4.923847070204445
                    Encrypted:false
                    SSDEEP:384:7mN0SFic0ZuedT6mDgMlE9rxluLN/YrsnYPLxsSJeeMpBs/S:SNfFic0kG6mDgM8luLOIs5J2Bs6
                    MD5:117AFA01DAE9274046B0119B8FE1D0BC
                    SHA1:98AE7ACC89B1545B6F3E50985F8445274890F87E
                    SHA-256:714FE10AAB76160F5C770EC6F1B529A70CBB9978076192652C0C4B6B872A3B13
                    SHA-512:09553CF58093A1511017E474F298FF8F0A7E481480EEFCEA2701FEC92FA5B6D9B4D4593D082F24E367136E87D1878DA4BF49D7A44176C08A459FE57BDA86D81B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...2.S...........!.........V............... .....*.................................S.............................. ..O............0...Q...........\............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....Q...0...R..................@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29136
                    Entropy (8bit):5.0300873112722355
                    Encrypted:false
                    SSDEEP:384:Y6SEyY2Dg2xlVbLNdYrhtnYPLxsSJeeMkdT:6E8DgGltLovs5JZT
                    MD5:6080C7F9C6850877101BF34CC94ABC19
                    SHA1:24799A9EA1A9C56AFC43F864B9B472007C5FBFF5
                    SHA-256:35B95407AC76E6FFF461FFA5A9F1D72BB8A82FB2F00FCE7DF9B757B21DB7DD70
                    SHA-512:BD2C48C2431A4B8C3BFDD2A0B175B0AC6026150063D5BE8E10C832D1CE17EFEE45B3BF75C4D761B07A7F9105ED202CED2CB101E7CF0B9907156CEF0904B16C43
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........R............... ....@..................................t.............................. ..R............0.. M...........X............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc... M...0...N..................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3sstzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29136
                    Entropy (8bit):5.0184669520774365
                    Encrypted:false
                    SSDEEP:192:zmlSP4XVirg9SRkb8iCOiSIFBDVG0rJea+M1JV3ZMKar6nYe+PjPBr7ahPO/d3Bi:qlSgErgAMixl/LN/Yr6nYPLxsSJeeMBb
                    MD5:A4F5F472C0B29E59F71D3648F6E1F3E2
                    SHA1:A53337F63E1D24CD7DD5F44361A39BA19D406072
                    SHA-256:C4B4958014DBAD9DB30EAEEBA9AD50F479C30874BF67EBDF2AFD2CABEC643210
                    SHA-512:552AB8FA6891C98E3C9A74B3E8C6A238FCC8DBF1C31194462D9EB9C232300276F4C4498F0F48693A137A1EC565973BCB9776D28A842D21F43C9FD2FCBEA6696A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........R............... ....@................................................................. ..R............0..(M...........X............... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...(M...0...N..................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22464
                    Entropy (8bit):4.9822661683284295
                    Encrypted:false
                    SSDEEP:192:dtx7/KfC3J4vV98yM2PKvf4dOGYUB3+3yueOa/hbnYe+PjPBr7ahPO/d3BNJzr9d:4fCZ4998yM9IMXUPrZnYPLxsSJeeMC5
                    MD5:E58C59FCEDAAE342BEDAB2ED4FE11C7E
                    SHA1:ADC73F4D72805BEAC5E880C00BE939CB880B642D
                    SHA-256:9C69F9A11C7FDCF01D0FA5DFAF2C76C5A8406D5DD1541068DFBAEB3D940457D5
                    SHA-512:4748183ED7D1C67CE27F7C1DDC64E375AC78F46CB02CFAF6B94846C2FA50035B5A51F902950D1A6945BF7D476FBBCC9A5216A55D7E1F32A750F70A634C2CEA31
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...j.S...........!.........8............... .....(................................................................ ..O............0..D3...........>.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...D3...0...4..................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):4.920061987573571
                    Encrypted:false
                    SSDEEP:192:8xx73rXn8rsAVBvhRJikTmzMu76LKYe72I9laaD/jY/A0jEpfkhtnYe+PjPBr7aU:+EJCCUfWc/CQkPnYPLxsSJeeM+
                    MD5:5160EA2835A6A3512E9B8494BC814555
                    SHA1:2B6452BB087621CE71F175F5A00341CEC9AF78A3
                    SHA-256:982E10F898FA03305CC088B444DBF893503A6D3015162DC37D29E0FC6EB0F84D
                    SHA-512:55ABBC0CA71B414FDDE9DBF7884E26E0F71772755E44D3F9F6E742EF38026E39EA0C75CFC181E42D45E47EDF44DBB758A677031F3C4AB4AECFDF2DF4F0643FFC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........<............... ....@.................................\&.............................. ..O............0...7...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....7...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25024
                    Entropy (8bit):4.874811562246298
                    Encrypted:false
                    SSDEEP:192:ntx7nDdFyZmJ+mMnvJtmzOiK1J81qN7S7f4tIGAFJPi4cDIdkdbf7hXeJe4Bqm4y:VJOmza8ww4RoxqhT5onYPLxsSJeeM9x
                    MD5:F969217202BE11AD638B77F384498694
                    SHA1:888768D9C17A02756C9DECB4B04C57C2FEAB05AD
                    SHA-256:B85938EC8197218B015D43D18293B9099C70D1249956CA435001D45FE418F378
                    SHA-512:FD4A56A65EC0B5C7711D1AE9A5240DB804AC3633E1968967F185BB0429E37AD05303C4150C31F770AD44A13372993687C0128E57574136F4AC9333D26B0F115C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...u.S...........!.........B............... ..../)................................................................ ..O............0..P<...........H.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...P<...0...>..................@..@.reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbthu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):5.021104340313693
                    Encrypted:false
                    SSDEEP:384:OAlY/KPV71mOm9m1XuubT0+aAD/eJj+ew2nYPLxsSJeeM3Mv:HlY/KPV5mOm9gXuubT0jAD/eJj+ew2st
                    MD5:7F52B681C8158384AA5D8C8BF76C2774
                    SHA1:85576B77E8137625A91354666755B50A89425352
                    SHA-256:9A436CB767F5EC0B7D0858AEFC9CA29B8B58E5EE598F82192C2863D2655DD04D
                    SHA-512:26AB62F1C7FCF30D5A52BCBAA3EA617111754B3408AAA1FF501562A50DEAC73DCDCB35224CE3AF8C9DB4729ACF6C215D0DD3EA88AC2E8CF20CD7BE4317C0D6EE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...6.S...........!.........>............... ....@.................................%5.............................. ..O............0..X8...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...X8...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):4.864062485690882
                    Encrypted:false
                    SSDEEP:192:UYx7je3mxQ2RhfXaOzcYHjlciXXvITReL8sCqEd5FendoOBhCuihsnYe+PjPBr7S:aernv581JxtKnYPLxsSJeeMgI
                    MD5:B47079169C754F175EE89F832AAAEA27
                    SHA1:F5399507E34FB96AE901C34BDC6C203962D45C20
                    SHA-256:7196AFB97E5018FA42637C2D523349AA2AAE7C11F23F093D96F161892A162D32
                    SHA-512:0A324C5D412C8B8F4D2358FF2BA564AA7A4A96B3C82954E3D35147EA86D01990B8BB0A8ECE329E06FE7019F1257C25D1928292114EBFFF4809D8779185DB1DAB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........>............... .....).................................n.............................. ..O............0...9...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....9...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20416
                    Entropy (8bit):5.812381487071401
                    Encrypted:false
                    SSDEEP:384:j1E7iZ7nhjyZwVxzn/oeNnYPLxsSJeeMOC:BEGPV5QeNs5JrC
                    MD5:2838AB508D3452DC17F436882F006B6B
                    SHA1:BC87000CB6BA506A83A20272CEEBC0FC832CAC87
                    SHA-256:2D593F396449B3D446A7D24853B67D8496655BA61805B64C3874C34BB5F0D5C1
                    SHA-512:92227B8CCA59FB68B0A13B91D61A228602E69C7BD8A07620FC390C38E7932AD36B4881819703C75ADBC68E09FD021BDB20CD4A434237194A61B5D929AA639097
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........0............... .....).........................p....../L.............................. ..O............0...*...........6.......`....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....*...0...,..................@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22976
                    Entropy (8bit):4.990736091967367
                    Encrypted:false
                    SSDEEP:384:U2GWm2GWm2Lbr7ZY+2eI3FWP/H/7ATTgZbjCpoSWnYPLxsSJeeMh:o+pI3FWP/H/MTQHGoSWs5JC
                    MD5:DCA4F381629245C72FFEA637795D24EA
                    SHA1:68FEDE4F9157C6C06A8388E296E727066CAD75F4
                    SHA-256:13826009F9A60DD581DE4B5DBF6B5F3F3D1B964F655A6129BD41BFFF1310BA28
                    SHA-512:25E5687A47E20BC579C1A37C3644402D13FE88C1AB61527D7DC93A2C533C9EF1571F57AF24885815AF6197663E0E635A0CDE98299023C25B919539DE97806DE3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........:............... ....@................................................................. ..O............0...4...........@.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....4...0...6..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):4.850655206252076
                    Encrypted:false
                    SSDEEP:192:IByx7n/yTop2Pfd13u3rx8OiG0HS7JEekGLGcuEqkgXSreHkhInYe+PjPBr7ahP4:PCxPV13u5LLFlN1yECnYPLxsSJeeMu9
                    MD5:2252F32D9FB62EF98CD283050193DACD
                    SHA1:5A40C1518E4A069DA74A758BB614D45C81C7F15A
                    SHA-256:F1AD67EEE0FB7ABB10D32B42199BD459468BE28C99A34E75853651A7853869A2
                    SHA-512:A66480440C6D3634D1AD8F0AAA3141CB28DB882BF1AF815BBD54DFA0905A5392937F4391F507C43DAF4C43391457AA5C264F706A92901634DEEB112B58A9A5A1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........>............... ...._%................................L............................... ..O............0...9...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....9...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24512
                    Entropy (8bit):4.95514618008715
                    Encrypted:false
                    SSDEEP:384:Evc3koYA2H5m5qtYwhF7Tqz5nYPLxsSJeeMkaR:Ac0oB2Zt5fM5s5JLC
                    MD5:901EC4BD43D2E1DD80878C567332FDD5
                    SHA1:DF2A8DBF141ED803A6DD8F2B09D36FC4CAEEF449
                    SHA-256:7566E41183F4D086011260B61B6E8D5C5DEF1D0413EFD52519B8E0925CE1FF0A
                    SHA-512:85509344078465387887009B4B46A9C575552F2BD187513D24673C9516D26C82CE7E7C5F7A603C683F60C93C9A5BC588BBCBE30E2E1CAF41EDE874D0C7742C3A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........@............... ....@..................................M.............................. ..O............0...;...........F.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....;...0...<..................@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):4.890287407022982
                    Encrypted:false
                    SSDEEP:192:BcWx7LyZYsjc5Y5nVHVrk0C4eYD0G1hznYe+PjPBr7ahPO/d3BNJzr9ZCspE+TM6:B09Hr1jFnYPLxsSJeeMTqb
                    MD5:260A694968DD5D73AB783970C585571E
                    SHA1:45A84B69BCDEB89860068C96B5AD5F2C5026A09E
                    SHA-256:B3A44CD2E91D717C2B282C64F122F57DD9DD06DA657701EC35FFF6E5E273AB57
                    SHA-512:66D10BCD7DCAA9B66E0D8CDE2171527284926A576FE51FBBEBE0A232A2EF9D4A9547E769B25DFBB9746DEACD3255A2C65B83D638D6BBE2179DCCEEF704E51C11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........>............... .....*.................................#.............................. ..O............0...9...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc....9...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24000
                    Entropy (8bit):4.993707291340094
                    Encrypted:false
                    SSDEEP:384:pXo7HArXmdFhofbzRyAAAOt+X2SznYPLxsSJeeM2F:9oEGOlOXSzs5JJ
                    MD5:FA4716CB3D1B2D6A434DADFF05D83540
                    SHA1:2FFDF2B565071BB50C8573968A5B8D3CB994DBBA
                    SHA-256:3E06B012494D6BAC073592FC79A3543D6E4203EE4DFC04CD9C629692EC041F21
                    SHA-512:4706FDA1EAFDA16B9731A9547BF4862037D5C5DAA8E9E780A6B047D41ADBA4A3E0342915789BFA71349A6E7BC6F416C30D44139664A5B09D8C5C0856AB9EDE5F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?.S...........!.........>............... ....@................................................................. ..O............0..,9...........D.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...,9...0...:..................@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\p3tbtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23488
                    Entropy (8bit):4.94449451833257
                    Encrypted:false
                    SSDEEP:384:/3q7mjNg/qVJs0hRmOC9kV3iHaD34nYPLxsSJeeMUX:vq7mjNg/qVJs0hRmOC9kti6j4s5J7
                    MD5:5020EC9A85EDA6688527C00B74399AFC
                    SHA1:9FC0E82794AECE8222AD7754A33FFE7AE2B370E9
                    SHA-256:4D359CEA70F34DF0C6156F7358AF393B3D10BFE5A7951A23F7EDFB855C297233
                    SHA-512:587EA3E53C9AE1C316CC923ECE03CCFB83AD9C87F41EE03497A07A4F1248B56E955195C9821F66F5B2F88A3A757D3727567E7D2C62A86690E684CBF139540B45
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........<............... .....*................................]............................... ..O............0..`7...........B.......p....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...`7...0...8..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.203687423105806
                    Encrypted:false
                    SSDEEP:384:d8OXp2/6B49kCxB/o9aM5Ojh6jQMYdXnYPLxsSJeeM4T:dlY/6W9kCxdo9amOjyGxs5Jj
                    MD5:8C76AA7D5471F3B6DF2F29F4A70E9ACD
                    SHA1:B66C399434F6488618F9599F3302E04DB4A8CD03
                    SHA-256:78B35F1542B9BCB2D61F6DEB9704F35698698EC318840157330D14C7209F29C7
                    SHA-512:45EEF71F94685BB903484251BF9C811467EBC61AA795C9CAC933C4336F380407CC7F5ED8D317CE457027F3BC6086C9A0BD5D02809E3118B818ED1272211F3CD8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......p.............................. <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.2113992845613195
                    Encrypted:false
                    SSDEEP:384:c8OXp2/6B49+Cvjo9aM5Ojh6JQI8rdVnYPLxsSJeeMwLY:clY/6W9+C7o9amOjAQIK7s5J
                    MD5:36610CD6E02FAA71360420ED72BF5DE6
                    SHA1:1A9DA80C80625D6DF93FC1E71151040D31B939AF
                    SHA-256:5BF02E572D1DD97AD9EC40CB5F9D97EE5593C2E941FCA5E5EAB181BABBF989C1
                    SHA-512:3C9CDD85ED6EEBD9B97F63F21847DF03392FA5268CA9CDF8F0C16B9AD9DE2366A855EAA8BC8EC912E76ABD0D8CA5C012EF27CDF55C0A3678D7D6D3DBC7924385
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p...................................... <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21392
                    Entropy (8bit):6.245846261231891
                    Encrypted:false
                    SSDEEP:384:g8OXp2/6B49OCnEo9aM5Ojh6ZYtd46dlnYPLxsSJeeM:glY/6W9OCEo9amOjQoHs5J
                    MD5:D8A93EB9B2E1C6E184350F1FB55F56DF
                    SHA1:D830D549F0BD16721C1050EFA72CE616BFA2D70E
                    SHA-256:A8D642BE07CAA2AD9EA3B3833AF1153F0AC01C34FC8F9281E2ADA6401B1310F2
                    SHA-512:4F1F20F2BD0F909B7767392D9DF17F730FF1A2396479EF1457E89F15A716CD43857DB49E290D0A5202B4AAB5274555002BDB4290ECD09651ED11DDE746814565
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!......... ......q........0.....a.........................p......~~.............................. <.._....5..d....P...............:.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.205936704129141
                    Encrypted:false
                    SSDEEP:384:J8OXp2/6B49vCKYo9aM5Ojh6WeI7jrd4nYPLxsSJeeMOry:JlY/6W9vCno9amOjjnis5Jdry
                    MD5:8299A7F7A9DEEF6F3F799AB353F5B45A
                    SHA1:4B08510BA30A3B9D3BF28AF4358C46586EACCBC8
                    SHA-256:C1DF0574E6F0FEB9645BA12AE6EF5F5B70FC95C7D65BD8567C8C0A9053010BC8
                    SHA-512:7AF0E8B4B371A76EFD9EB0FBE02ADF6C6A8E749FE0C3CA94F510CB91EB1458485A81D35DE1DBC00044E04058AA93049CFDDEC75622C2736C50AC489A79BA8927
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......j............................... <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.206390174074578
                    Encrypted:false
                    SSDEEP:384:z8OXp2/6B49GC4No9aM5Ojh6xuKQa6d1nYPLxsSJeeM:zlY/6W9GCIo9amOjIWrs5J
                    MD5:F80ABF264040325B4E3BD7CFC9A5851C
                    SHA1:D3920EA2CBDDDF0A185F75113C49AB846A216E3A
                    SHA-256:7628421E83BF8B8E4B6E2BBB34653DCCCC537533588A1BC95D3C5D8639998C2A
                    SHA-512:67F7B2A696F2210A95107B4BD9835C2069D0B2452A8FBD0FC693611866258E2329FA1FE76C4715A5FDC575857D23B4650355D4B440C31ED52C5603171BC90BE7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p...................................... <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.250522280187799
                    Encrypted:false
                    SSDEEP:384:cR8OXp2/6B49nCyto9aM5Ojh6uiXdOnYPLxsSJeeM:cRlY/6W9nC+o9amOj7iXYs5J
                    MD5:CF5B4A1E2BAAF50465722C8C74904CAB
                    SHA1:AC33E3A98E59ACE7975EA93B242C4586CE0428DE
                    SHA-256:54799B03A277FE87B4F3679B3B3A05B31499FA882DB4BADAF0908FF1052AFE23
                    SHA-512:0F7A2144B1D5F491BE2F18714D2BFD9B08684F3865EAFD612680E2CC2FD0CFFC3A2B70B6BD61BB495D3D3FEA35A98113D041A9EA98D5184BA7B212945FA34C28
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p...................................... <.._....5..d....P..|............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc...|....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.207245020409517
                    Encrypted:false
                    SSDEEP:384:W8OXp2/6B498CiQo9aM5Ojh6XoYoWAdwnYPLxsSJeeM:WlY/6W98C3o9amOj6UOs5J
                    MD5:BAE308AABD6162DBFAA6CF792B96F022
                    SHA1:B9A40C90C76A5813E419FDA4D87A5D8BC32D5339
                    SHA-256:E835018B5A788D4C4A84B83130655C0BFA4CCD92EE92CA13DDA1230FD202C98B
                    SHA-512:7FB22AB949DEAF3F35A8F8EC4D31C1E1597AAC42F04CEC9C7F64490A515FBA9A06168579F9AAF156BE3635EDF36007CA50F0E5D575886C313A03FF8FEFD174DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......D............................... <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21392
                    Entropy (8bit):6.240372463244853
                    Encrypted:false
                    SSDEEP:384:Y8OXp2/6B49ACI0o9aM5Ojh6TP3b6dWnYPLxsSJeeM5:YlY/6W9ACxo9amOjGGss5JQ
                    MD5:BFAB4CF635C27D1C1DAB5E19A88FA675
                    SHA1:46848433AB53625729E00BF16313B4E15E792E36
                    SHA-256:120DA57CBDB4DA198EF9E22C4F7D6A98D153870F84E0A9CD6C7C1F535DBFF45F
                    SHA-512:25A7A053BEF305D1542132386EE83B91CDCDD5A0DE760B108A35620A13CD42B2E55218154DAEBC69FA9DB93532E02A7D04301C8FB56DCA5CE4C25BE196613691
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!......... ......q........0.....a.........................p...... ............................... <.._....5..d....P...............:.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pageobjectmodel_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20880
                    Entropy (8bit):6.213149561064228
                    Encrypted:false
                    SSDEEP:384:f8OXp2/6B49FCjto9aM5Ojh6clwdJnYPLxsSJeeMh:flY/6W9FCBo9amOjlObs5J
                    MD5:548FB4A5C1BF2DD1B74585C910FC0578
                    SHA1:9ABE7BB61C9449E554F07A7FA1196A4ED0981E5A
                    SHA-256:72FE2448C9E730025591477B607153EB71260E2EFDE45AC6EAAADA791475EED1
                    SHA-512:3F09E49D238C76BD495E3AB42D4FD5A11EEC0FD3A633C13ECB06F72861C16468DB94445018D0365FE54040B478365B576EC719A546A3BBAAC79F2EC17E1B8184
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......-............................... <.._....5..d....P...............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.834195847728171
                    Encrypted:false
                    SSDEEP:3072:6XIj5OjG1c9LSyTYPy5TAW4T2VE3j13uAbJ:zOjG1cp5bs223Ht
                    MD5:086AEF9D693C54EF5F8AED6E2062DE39
                    SHA1:457DDA2AA1CF365CE3F7736E0243BD275DEA84F5
                    SHA-256:84D98293B0373E3D7B90EDC87217667CB98ADDCCABC3933E2118F97A74043472
                    SHA-512:AC58062C552DCC23844CB494D1D0B369EAFE7AB7C9A5FF1D63A0426D77C58D5C37F414FB7AA2B986F8B1206A56ABB30589A26C1DB125CD4702CB2BF7EA868EA2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L......S...........!.....0...@.......4.......@....@.........................................................................,K.......p..8....................p......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc...8....p.......p..............@..@.reloc..b....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.831501824268272
                    Encrypted:false
                    SSDEEP:3072:7XIjXOjGbc9LSyTYPy5TAW4T2VE3VfFVPMK8Fdl/HZhbJ:AOjGbcp5bs223it
                    MD5:52BED453A4A2641109D8BA908A2CF712
                    SHA1:6241CAC93A506F4B635706DAA7FEDDBEEDA897C4
                    SHA-256:F65D16087588D80D405BA09189FA4272CD7682DD9D2ECEC49CBACE77EAD44451
                    SHA-512:E2BB6A3EC41BED8DACEC3D6474C5A578F8173DA4F7D863C620A3AA0C342756A7B56C348C5B3F826BFF4412C419F4230B7188678DDF85F11EDCC58ECB244F786A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L......S...........!.....0...@.......4.......@....@.................................??......................................,K.......p.......................p......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc........p.......p..............@..@.reloc..b....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.839650376133177
                    Encrypted:false
                    SSDEEP:3072:eXIjeOjGyc9LSyTYPy5TAW4T2VE3pCQXwLRtJe:MOjGycp5bs223WP
                    MD5:7ECAEE26D513268582AD6B8878B7C3A8
                    SHA1:F24939AF32124559931F7AB1104CEBE0EBE696C2
                    SHA-256:79F21676999F2B3E02BACAA02C5FC25B56AC2B9DC975E68FE85ACAE1EEDFBB54
                    SHA-512:12370E9301BC5B8424F120C9327784B1B1118F2DC78BD3C3C5B22BF30D07D58ABC414B24251D9A379133653AC83941C61ACF340DE7F4B42CAA13E7F53D4DE0B7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L...i..S...........!.....0...@.......4.......@....@.........................................................................,K.......p.......................p......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc........p.......p..............@..@.reloc..b....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.8475161368232635
                    Encrypted:false
                    SSDEEP:3072:dmYq4Oj+wc9LSyTYPy5TAW4T2VE3zfA4P8J:nOj+wcp5bs223Te
                    MD5:68F60944F28908E781642D7F7C03385D
                    SHA1:D236E8A95504F2330CF09D0D1AADE3508F343242
                    SHA-256:FA5AEB2FD65E4D1412B968DC88F2CB15784844329795DAE70A3AE659390229F2
                    SHA-512:74A3686E4CD5422ED5C5490C23D2C44EEC3AE0F098A6DE69B38AFB216DDA5D4F077BA968F63C68E9CE474495685A46472A2AEB2686E06DA6C1C4BE26CF9226AD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L......S...........!.....0...@.......4.......@....EH........................................................................,K.......p.......................p......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc........p.......p..............@..@.reloc..b....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_pt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170368
                    Entropy (8bit):4.848715272404826
                    Encrypted:false
                    SSDEEP:3072:Iw6efJqOj2+c9LSyTYPy5TAW4T2VE3o/SDJ:CWqOj2+cp5bs2235V
                    MD5:A06B9BC8B1ED1195D638E014C4DFAE2E
                    SHA1:05B0310846DDD6FC3129938C6F886E5838DA3362
                    SHA-256:1A46A4A06671D9B472C24549BA0C6DC49C0BEF28D46B2968F867E674ED415B90
                    SHA-512:23BD0879B6820DE8CC8353B14EF5F68A35C29774440CB6B396126E34876119DB5E938F8C6830F47CB15E6354847037AF34BA09E08EC81B6C4F0E1502CB386878
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L...Z..S...........!.....0...@.......4.......@....<I.......................................................................,K.......p.......................p......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc........p.......p..............@..@.reloc..b....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\prompt_res_zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):166272
                    Entropy (8bit):4.8880954924739655
                    Encrypted:false
                    SSDEEP:3072:HXIj/OjGcc9LSyTYPy5TAW4T2VE31ZYJb:MOjGccp5bs223fa
                    MD5:48681B67D9B7405A6BA1F9668E17183D
                    SHA1:43E7CE817A2B0675A2954C99C408092154476272
                    SHA-256:DF732A2A853A0ECD86436BA6063B92F80F7AFC444A1C4C09382DC4E2E720ED73
                    SHA-512:559648A54144BE23CA1DB5D09B8AF171E71B8899FBEA8605C0279C84295B8D21131B88B8BE845DFBB1E39CB676F6BC9A2D927386EB070789ACB5AA0D73B3AFCD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................g:.......8.......8......3........8..............8.......8.......8......Rich............PE..L......S...........!.....0...0.......4.......@....@..........................p.......:......................................,K.......p...............p.......`......PA...............................E..@............@..0............................text...:,.......0.................. ..`.rdata..0....@... ...@..............@..@.data........`.......`..............@....rsrc........p.......p..............@..@.reloc..X....`.......`..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\pvlocale-1-0.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):472496
                    Entropy (8bit):6.410029661132987
                    Encrypted:false
                    SSDEEP:6144:POLURdkMh5oxFe0ZSEgm6BuIKyyoFhArk7Bf/2BINKH:6sOF3gm1IKchA4/2BINKH
                    MD5:3A151D394F427B3A16C9938BB94FD4EB
                    SHA1:CB99E69563BBE8AE23167C55E5C1BD8D1EA2FB23
                    SHA-256:E2D4E62D5BE25FAA5437AFF503740AF09C772698851B09478B070B5243BF6A92
                    SHA-512:EC074FDB847D49701E6983AFA0E2FDD300DAC8A57092FBD10CCAB01AE149B069553F295860383406BE93DDD9052127EEC6B8786DF69696FA6484CCB6AE7985D9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.............{.......{...........n...............+...................................Rich............................PE..L....yhM...........!................lM....... ...............................`......l................................&......$........................ ...........I...(..................................@............ ..t...t...@....................text............................... ..`.rdata....... ....... ..............@..@.data........0.......0..............@....rsrc...............................@..@.reloc...J.......P..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):260480
                    Entropy (8bit):6.191383334371644
                    Encrypted:false
                    SSDEEP:6144:8pJvvnuKnH6jx9Y1AEejRArlITODrCjn5i:OvhHoxMeju+tn5i
                    MD5:D5BA6B14D869C639DE21EDB9686973BF
                    SHA1:D3E446A1D0810AA827A210D6EDAEDD0845D4B59E
                    SHA-256:DA876A754DDAAAAC15DB2965E6E2D8F1E18267154EC8D6E8E108F78968D0A967
                    SHA-512:BDCBFFE99147E4CB45583C3A0DAF1A7095377FDA46F71743C1979D5F4E4A14BA4E64D032CF27A3C5FEA863201E0B3A350B0256036DA85C3EB9B5E56CD74483CA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ......!......(...$..#....&.......&..'....&..'... ........&.......&..!....&..!....&..!...Rich ...........................PE..L.....S...........!.........P.....................$................................................................*...............P..|1......................X@..@...............................`...@............................................text...Jq.......................... ..`.rdata..............................@..@.data...@....0.......0..............@....rsrc...|1...P...@...@..............@..@.reloc..8[.......`..................@..B................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22408
                    Entropy (8bit):5.097264765058956
                    Encrypted:false
                    SSDEEP:384:djm/YlQVydVsjS9EuInnYPLxsSJeeMOu:d6Y8ydVsjS9EuCs5Jzu
                    MD5:06E3EB1B54522499605D19FA00D3D185
                    SHA1:2C888F9E3CACE01B3AF35B2FAC02C5011EE17A20
                    SHA-256:A46F9D345E4801C2E4E9CE2FF4FB8EC111A9017E0F850A7A3F930A867A2940FB
                    SHA-512:73645EAB0358D2087B8A2228E2EA4CFC0FAA7F84C16C244EDE1906333E1524B22F25CD3D70E41E28170CFBCA7431E503E88B45F397EC4D0C1728A99512B5CBE4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........8............... .....$............................................................... ..[............0..L2...........>.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L2...0...4..................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21896
                    Entropy (8bit):5.064177246578598
                    Encrypted:false
                    SSDEEP:192:cbtCGEubC7stcVCdV+RM/jVVVSVVljqKTMAV1mlrVxEvV85CInYe+PjPBr7ahPOy:c1dVsjI9EuIInYPLxsSJeeMJpP
                    MD5:24DC98199FDD94C8A7EC6DB14786F245
                    SHA1:E73276A232862301E452FFC086320C2E8136117A
                    SHA-256:B766F49E4BD7CBEFF15A5C47AF01282E1AB1DF6824270D8DF13DB55A0A04E81C
                    SHA-512:4FE239B61103A2B000446ECC9E71A143A7BCFAE5F63296CAF0C0F41EBBE97BBF812D150325434F254C6A37B400D0222DF302FE258738ECF2BC5F41CAC332763D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........6............... .....$................................................................ ..[............0..|1...........<.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|1...0...2..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21896
                    Entropy (8bit):5.084371402036406
                    Encrypted:false
                    SSDEEP:192:xCj8JJQC6ECVCdV+RM/jVVVSVVljqKTMAV1mlrVxEvV85CdnYe+PjPBr7ahPO/dv:xCgJ+C6EbdVsjI9EuIdnYPLxsSJeeMt
                    MD5:0814915EE82131ED7B48505F15CEEE04
                    SHA1:758B42005DAB372785668844131467DD6991F98B
                    SHA-256:155CC5F9067D743801CAB06937BE94E1AB5AB3E2091940FF29F959C8D072527D
                    SHA-512:EDF2E2C0ABBA67512966044D1C1B875F266C91B5B122F033E0B526C74070D7B96CF9204722B47801F8D5BDC821EB13D54BF613024089C3BC7C9CF7621051A54A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........6............... .....$................................r............................... ..[............0...1...........<.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....1...0...2..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21896
                    Entropy (8bit):5.227548738550926
                    Encrypted:false
                    SSDEEP:192:D2jQRSlVCdV+RM/jVVVSVVljqKTMAV1mlrVxEvV85CXnYe+PjPBr7ahPO/d3BNJ6:KkPdVsjI9EuIXnYPLxsSJeeM9
                    MD5:3B0523ED1291DA03572E900CF44161D3
                    SHA1:BFD8461EB5A251A2873CAE6A91D4FA98991AD976
                    SHA-256:FB207138F7F28E55E1DD3D09927B110CD541B926E02C64F6159CDA0E260B46EE
                    SHA-512:B9DC9F35AFF890C167A42AD68F19F4EC4C8111083C242F55769C0E0B2748CA969718686858BC49DF223034537649E0C02522A508AF8938AE596FB23AAE392B99
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...W.S...........!.........6............... .....$................................................................ ..[............0..$1...........<.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$1...0...2..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\querybuilder_res_tr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):21896
                    Entropy (8bit):5.111075930794146
                    Encrypted:false
                    SSDEEP:192:a/RbYyKsq/mVCdV+RM/jVVVSVVljqKTMAV1mlrVxEvV85C3nYe+PjPBr7ahPO/d1:a4dVsjI9EuI3nYPLxsSJeeMw6IIw
                    MD5:B4BF83CB5DA428BFE703778CB8777CFA
                    SHA1:FEAD752AE4C3B8FFEF56D5B2A7CCF33573F55CD1
                    SHA-256:0A9191FC31D64F7F2AA73CE10D27303C7210EEF4AF2E00FE95D57F308F940E71
                    SHA-512:1C3EBF540504DB835BC8657B43BE6BEE244BC67B3CF12A573C7F68A437E4693A0BD9B4647263D19FAEA45AAAA7DAA31AE279ED41CD532552BD69E66C3CE882F0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........6............... .....$.................................).............................. ..[............0..41...........<.......p....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...41...0...2..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):5.952881406968099
                    Encrypted:false
                    SSDEEP:384:V8OXp2/6B49hCXo9aM5Ojh6UNyPbEYKsPE7nYPLxsSJeeMMX2:VlY/6W9hCXo9amOjTNyPbEYFes5J6
                    MD5:19CAB67CA7B7C782B0A7BDA5B36DD6A1
                    SHA1:07BC4CA712E83F1E5FD9F11347F2E05D5E62B192
                    SHA-256:6543A5CD9AD8CD304E90CEF3CC253F04D0FBD85DB3A0E289E0D5D7C309C4DD82
                    SHA-512:0FC057209DCD00CF8BF7CBF986445A0701EC7AA198F9B978A2008F150A26969A33F4893F26F3EEF2D3F793BE01DBF522E4C227918DF94C7D510A95B655E7FD76
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................................................ <..^....5..d....P..`............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc...`....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):5.955753903081062
                    Encrypted:false
                    SSDEEP:384:48OXp2/6B49OCgo9aM5Ojh63d4zlXbPEVnYPLxsSJeeM9dmo:4lY/6W9OCgo9amOjYd8z4s5JOdmo
                    MD5:D5F11AE9D460F2ABDA6A7D4A1D289DB6
                    SHA1:188FE6F21489B7F0B30A4AD71775630291AC7859
                    SHA-256:5EF70E8B672FE209E2B91EF756EE2E15DD8361E4A9AC020E62511A09D9AF4B41
                    SHA-512:5F528FFD6D65A18377534BA1E4187DFEF589EDA3044832E280BABE2F0092D262D9FB96DEFC9DAB71628B7FB075BE23235ABC33BE4653D81D670E87318571D117
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...D.S...........!................q........0.....a................................................................ <..^....5..d....P...............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25480
                    Entropy (8bit):5.863146134440891
                    Encrypted:false
                    SSDEEP:384:C8OXp2/6B49yCko9aM5Ojh6bdJ/jFbU/PE/nYPLxsSJeeM3/:ClY/6W9yCko9amOjcdJ/jISs5J0
                    MD5:E9B4625BC53EE7C618733ADED50788EB
                    SHA1:B0970C3D1DA9C4E7454BBDC094A28995491E8D22
                    SHA-256:9A7476674E235D3F1377E5D41E3FCE1D713894BE765AF1B52BC4FF821BA23360
                    SHA-512:B3855837118540BAB698BE28D4C237E813A1D87738CF055E3B7909C3CF29BBB8657F980B1E51FBF815E8CD6B1EC35BB765E6606330E8B3DE3680B413A625C140
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...H.S...........!.........0......q........0.....a.................................?.............................. <..^....5..d....P...............J.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25480
                    Entropy (8bit):5.898763847939513
                    Encrypted:false
                    SSDEEP:384:q8OXp2/6B499Cuo9aM5Ojh6QdgSvJ5lw5aj2sPE4nYPLxsSJeeMuFs8:qlY/6W99Cuo9amOjPdgK2wlZs5Jln
                    MD5:BED62AA1618A82F8A98A652F29C07618
                    SHA1:2ABDD4A03BC23B44546A0B23FB64DA8895FB3FB2
                    SHA-256:2E46BA4CF8188F23C08B8928CBC24797CA6F3BDF7499CEC045971176AE4E82BF
                    SHA-512:2D0E35A0D884CDA771A1B0A88E7E71E9C5BD84673AA8B0EEA0EE10B6A4CFE06C7200792024DF2939CA31509B3DE7B5081FA3467F293F1130756D3157AEAE6590
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L..._.S...........!.........0......q........0.....a.................................O.............................. <..^....5..d....P...............J.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):23432
                    Entropy (8bit):6.245559290971149
                    Encrypted:false
                    SSDEEP:384:c8OXp2/6B49KCko9aM5Ojh6DduQPEbnYPLxsSJeeMw2:clY/6W9KCko9amOjEdbms5J/2
                    MD5:8F3205F551AEF27E53989C65B08B3797
                    SHA1:B51EE54B5D8946CD850CADBA3B6BF933053EC024
                    SHA-256:9FE5110BA93663EDA484E6E2965D1EB3E9133CFE1F324BED115E4575BDC8508D
                    SHA-512:75BE41F1FB19C6FF75C0D9916E95A3F0A6C9E60015B0D7478DABAE5FCF3A386A0418661248B1361116FF9E0224CF16E64535B136E8115BE77A0079823D44AC58
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...P.S...........!.........(......q........0.....a................................................................ <..^....5..d....P..t............B.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc...t....P.......*..............@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):5.958375659462461
                    Encrypted:false
                    SSDEEP:384:r8OXp2/6B49tCPo9aM5Ojh6Ai4t9Ndt9NeN0L/2MPENnYPLxsSJeeMD:rlY/6W9tCPo9amOj/iJ0L/2Egs5Jc
                    MD5:2023F06EDD71BD8EDE68753745F9A124
                    SHA1:25C4673D732B487AB340560467552097020E5410
                    SHA-256:9A5CF7F65F255B6BD224ECA516417208299D4B82DA6A1421F1AB14A1CF99CE35
                    SHA-512:321CDCDC054C1359CD0E089B41BBCA87FD20A8796C84C9A86328ACD93D9DDAD2A375261F127133188E41A291E6B024E4F9410EAAB0FF1597ED3B8DA70893F431
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................................................ <..^....5..d....P..,............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc...,....P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):5.969652417593159
                    Encrypted:false
                    SSDEEP:384:t8OXp2/6B49GCQo9aM5Ojh6/+DAVVcunJ89PEcnYPLxsSJeeMzU:tlY/6W9GCQo9amOjA+EVBJ8lFs5JuU
                    MD5:3F611DDAD88AC500C8B677523E008F14
                    SHA1:E04C2E870FB3BDF965C27015405C670584B531D2
                    SHA-256:64F79F22806E6CD9B3D81BB5B1DF7AD4BA8629411D42E140EE10DDC52AE9E124
                    SHA-512:B298A2AF50914C358DC834CBD21F47B95627A80F50699BDE244531D625781228076C8C34C6D4717D57ECCDC56BB6864965DFC713ACB31A67D91080961FD82DC4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................................................ <..^....5..d....P...............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\reportrenderer_res_sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):24968
                    Entropy (8bit):5.943627334695934
                    Encrypted:false
                    SSDEEP:384:c8OXp2/6B49OCdo9aM5Ojh63dxdC2qY9N86AW+FeKYPEOnYPLxsSJeeMAgN:clY/6W9OCdo9amOjYdt5FOeJjs5JdgN
                    MD5:6EA50B5975240C4E46A10B9D368FF177
                    SHA1:E876E9CD0A8350131DE3AE3D9B6913B95D08FD03
                    SHA-256:690D28C9BBF71DE367337A1F8D024502FC97479B9FA492DDABEDA404127F77A4
                    SHA-512:3F8B7B52A22B1029ED55FC09E43B75B2BAD7E936D3CFBAF0CB083C012DC4A97CF3573607F38550635E4EC4D88F50089C231D6FAFBC1E1085865F033707EC1F46
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a................................................................ <..^....5..d....P...............H.......p..\....1...............................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...@....@.......(..............@....rsrc........P.......*..............@..@.reloc.."....p.......B..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.2245893808090615
                    Encrypted:false
                    SSDEEP:384:Du8OXp2/qhFl6TnqM5Ojh6tCT1nYPLxsSJeeMXRfO:DulY/qJ6+mOj8CRs5JUNO
                    MD5:78805B6DCFB35E79A25CE369BCEFF5B1
                    SHA1:3A9DF528DF5569026AA6EB587F71927EE66D2A5D
                    SHA-256:531EAFA13F9007454F383F6CD332FECF0D2BC27C01FEFB3DCC289DA0C8746662
                    SHA-512:A2A258EBE1FF9324BABF52E6EDEF6B4F301117FEF8DE7ABC4ED8289FFF371A5EEB5702D9091864CC565EBB3495AA962801FA1DD54569323A41B5AB3851CAAD0E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..[....5..d....P..\............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...\....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.230800538373272
                    Encrypted:false
                    SSDEEP:384:uu8OXp2/qhFp6u3qM5Ojh6sJTqnYPLxsSJeeMRj6c:uulY/qF6uamOjNJWs5JyL
                    MD5:ABA6B64CA99D126B64292EBA210D1A10
                    SHA1:7B050E4BF8E70F1457C3B65A090F3A8D41A86581
                    SHA-256:A223DCEC73A721F7A5967B14A02CE640CD5BC435DA8D8E9FEBD8E3810C673F65
                    SHA-512:6FD3BA2349600D594BFBD42822646C640061241711715E6FDE9B351F5DC097D1F3180339F6C7D769BE28D946158CC752425D41973485370CA596F282EF9A3172
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...b.S...........!................q........0.....a.........................p.......................................<..[....5..d....P..\............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...\....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.227679840581243
                    Encrypted:false
                    SSDEEP:384:gu8OXp2/qhF/6TqM5Ojh6+KTXnYPLxsSJeeM:gulY/qz6umOj7KTs5J
                    MD5:BC2AB6BDF7F1E6584347A6D72B39D76A
                    SHA1:72B474099EE91C7358963BF58F6209F92B1FCFF6
                    SHA-256:8EEBF3B03388650BE1392D478788012D6D6696102F9AAF97A102D35E28EC69FD
                    SHA-512:3A1A726C14B436C65237F08972D0AF938101E115D49CFABC10234D9835A9A5723BA83E66BC7A153E01855C091AF7BA46A97AFB9E9BF1698A7D623E9391CFAD21
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......~................................<..[....5..d....P..\............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...\....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.227149967310239
                    Encrypted:false
                    SSDEEP:384:Wu8OXp2/qhFT6JqM5Ojh6SLTfnYPLxsSJeeM:WulY/qf60mOj/LTs5J
                    MD5:EAE028E74A1A21C5EF5A7ABC55C0053A
                    SHA1:DB32D3C2D4BC3CFD0AF173C0A49ADE40FA0037A4
                    SHA-256:21B3389B9B667303B36CEF933DE006DC9375A1649E9EFF9D513F28B606E817E3
                    SHA-512:1F2680122AD7D07847D2F1AA6C5B3A7B3D76C029883A7516595B508BDAB0381D8BB37EBE49E8BBEA1A20B8B47A3B945CD89BAE74B1616388EA7637F86CA3E266
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...h.S...........!................q........0.....a.........................p.......................................<..[....5..d....P..\............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...\....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\requestmodel_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.2295900464596174
                    Encrypted:false
                    SSDEEP:384:Xu8OXp2/qhF76vqM5Ojh6YTTqnYPLxsSJeeMZ:XulY/qH6SmOj9Tes5JU
                    MD5:60B89DB69420D7FC7D2104CA4BB1D0CA
                    SHA1:3216AD341CC5EB6383544D75957B655706FEB90F
                    SHA-256:46DB59DE46C607B80EAE16D4655A630FDD4298102065E4179125C1D4C66FBD7C
                    SHA-512:A1E5E9DE3FA2A5577EE642772A8FFF0A7D7F9F3FFD7B586C1463D7D9755796EF8E1C7367E7DBCBC1AAA4509BE31F7D2A911DFD06EFCB89A629C334F063B6B519
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......=...............................<..[....5..d....P..\............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...\....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):178064
                    Entropy (8bit):5.107855383393145
                    Encrypted:false
                    SSDEEP:3072:ul/c8ZOjH+nAIWUlKMNT9bDfmuVFUK2I8/yWVyWrPFMiu82Jd:uDOjH+AI9MK2I8/1zPKd
                    MD5:BBFA02C6355AED39990B4E5935F7674D
                    SHA1:94A7752513594CDE82573E3A1CE5726128728A52
                    SHA-256:E2A426F19B41E83DAD6086CC23A7A9F60BB7C01B12AA820969A2D992B639D19B
                    SHA-512:EBC8145FF60F566AC280761A5B61214734D15B81E5C4BD259197E99B92DF550D0FA2312ABFAC68DFDD69AE20D7DA4780FEC75DCA8CB1C759A92D2459D173269E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...z.S...........!................q........0....@................................................................. <..]....5..d....P...m......................\....1...............................2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...@....@.......(..............@....rsrc....m...P...n...*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):182672
                    Entropy (8bit):5.105537350846865
                    Encrypted:false
                    SSDEEP:3072:6lmsMgZOjEdnAIWUlKMNT9bDfmuVFUK2I8/yWVyWrP19jZgoCEaEnipHDRtZ5GyU:6c+OjEdAI9MK2I8/1zPJqC
                    MD5:6239BC92A57050534F5C811509F6B82D
                    SHA1:56EE6A1395B5459ED9857B370DE6442A1DFB899A
                    SHA-256:D406DCB35EF92EAE5B92B23AA114493BB15E1CE9008B12658D046C33365920EB
                    SHA-512:A05EE57A20F150204260DA0D29F08FDF6305FA72EBBE3A53883D3DA785D73A48E75F45AE194B3A5BB1F9958B5CF5364D28BE9FE933203E038EFB54A0030D9D2B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....9................................................................ <..]....5..d....P...~......................\....1...............................2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...@....@.......(..............@....rsrc....~...P.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):179088
                    Entropy (8bit):5.159254464669239
                    Encrypted:false
                    SSDEEP:3072:0l/chZOjtPnAIWUlKMNT9bDfmuVFUK2I8/yWVyWrPMHbtjsfvtFaCU7SWj+hLJ1u:0UOjtPAI9MK2I8/1zPxmEGuC
                    MD5:61707DED5E690A3580279CB0333AEA07
                    SHA1:047ABE18411E2EB2D2DAB01E7F53669EFEA95FE7
                    SHA-256:7965BCA499F46DEC5AE292ACC44D610E07A86CC8C064406CC3074735BCB24534
                    SHA-512:E0E00E1D8A76511854204798FD760868EF1B1CE9E1B5A613326CE625573C2F13EDA024252AE070A1FAE4D6AAC8413036D2D8AAF657018F7F774260237A7662D6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..................................5.............................. <..]....5..d....P..Hp......................\....1...............................2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...@....@.......(..............@....rsrc...Hp...P...r...*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):164752
                    Entropy (8bit):5.5379944306601745
                    Encrypted:false
                    SSDEEP:3072:zl/cgZOj6CnAIWUlKMNT9bDfmuVFUK2I8/yWVyWrPCETmJ9t:zTOj6CAI9MK2I8/1zPT8b
                    MD5:2DEE872525AA8362E5FD40F6E4DE48F6
                    SHA1:DE6CB8D3D7BA12FBC4CEFB953D30D3FFC49E2F27
                    SHA-256:CE63BB1117CC6132CACBC3288D9ED8BD8D1071729F18C85949B138D83AB1AC30
                    SHA-512:39476F820D2DFE4BB4359C5B6409089AFC6FC44C745FEFE93EA64371D3F988AECF1031751897B50EA8240C4B91A22F76A06D9F08ACFD9AA77315B1F0CC5D0FFD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!.........P......q........0....@.................................z............................... <..]....5..d....P..88...........j..........\....1...............................2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...@....@.......(..............@....rsrc...88...P...:...*..............@..@.reloc..v............d..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptcontrollers_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):178576
                    Entropy (8bit):5.465473084515342
                    Encrypted:false
                    SSDEEP:3072:2l/cDZOjbWnAIWUlKMNT9bDfmuVFUK2I8/yWVyWrPpRcKAMipE/9Jx:2+OjbWAI9MK2I8/1zPBx
                    MD5:2E77C5FE76711B7F30F2678311211035
                    SHA1:95D79A4BF2AB57251475C1ACF7CC4CFADD059489
                    SHA-256:A401A66C2905187377A5E39C0C50C0FB68298741EFF926FF3F3392C32D714BC9
                    SHA-512:DE29718D51E6A15C04586CEF1754B5FC7F6287E7CAA19E4A45DE0AB1AAB12A12025A5765CA20CB497ACF5C93F4C384AFD599EEC34A7E9AD34119CF3C84F1D648
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@................................................................ <..]....5..d....P...n......................\....1...............................2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...@....@.......(..............@....rsrc....n...P...p...*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20888
                    Entropy (8bit):6.221360644151874
                    Encrypted:false
                    SSDEEP:384:S8OXp2/qhFm6NqM5Ojh6J+bTpnYPLxsSJeeMlC:SlY/qy6wmOj4+bVs5JYC
                    MD5:86B04651C3CDDC5AD7441929204BAB93
                    SHA1:33E1976807D81230B6B6162AD92518FB99CC6937
                    SHA-256:662810AD9F76E73231578B93515F6B8B0906A051787E7210252A138A601798D9
                    SHA-512:1EE3B74C83CABACE968FD0EB92031F061B9C2D3FD23FA0D69A674385A7490079EC75E74EE0843851EB6C1A85AB2A043DE65A36D75A47314B06E25B366B5550A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..Z....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20888
                    Entropy (8bit):6.223853022429469
                    Encrypted:false
                    SSDEEP:384:H8OXp2/qhF56XqM5Ojh6UHbTznYPLxsSJeeMN1:HlY/q166mOjVHbns5J01
                    MD5:4477D50F0903EAE07EC128F507BC0B48
                    SHA1:F9A5514C821E542B7A7388A5F48DB7883B130110
                    SHA-256:9F45125099E8825FF13D1DB023B036039EC3F055BFEC71BC66935C47EAD1A79E
                    SHA-512:B867810B5EB91F5FC2D9302BA3C234AA10BAF2EBAB95DBE86D5780A25D861DF3EA2C3878CE5D8E07A8888BDBDF288D6041937708BEDF6C73E5B423E1E7256703
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..Z....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20888
                    Entropy (8bit):6.221877413150353
                    Encrypted:false
                    SSDEEP:384:c8OXp2/qhFT6LqM5Ojh6q2bTNnYPLxsSJeeM6Dy:clY/qn6mmOjX2bJs5Jny
                    MD5:B79911019092005AA77C0FAD35A922FF
                    SHA1:1A20C5FDDD218EBE69D489DCCD44866ECE666D42
                    SHA-256:BA4E5B3682A14E88A6F95CEA5AD768E65A5C04C48A23E705F6F225822FC2452F
                    SHA-512:48343A986E1F5D3014D4C5691D08A9F06262F646F7E6538A2247F0D2A6DED668BB6EAC7B215F7E934C3EB779AFA681CB273F5AC7B31D617D19261CE3B8B428F3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..Z....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20888
                    Entropy (8bit):6.220391358449345
                    Encrypted:false
                    SSDEEP:384:T8OXp2/qhFY6uqM5Ojh6DxbT8nYPLxsSJeeMGB1:TlY/qs6DmOjaxb4s5JfB1
                    MD5:ABDD16A7A10DF05D2CDBB1B9B3F5521B
                    SHA1:C1CA2157897F53790EC423FB85660EDB04C486FC
                    SHA-256:8CA3AC8AB6B15FD733C9335E352056A83FACBD1B1CE969502EA3479A774B5684
                    SHA-512:890382B85EA626347AA9A7F41DC1E6FF68C2A388834EA745C1A382C5CE042279E66E947E988F895D40211AF4E399CDDE2C157D448E94308A7551A6868B7B8DC2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......(...............................<..Z....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\rptdefmodel_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20888
                    Entropy (8bit):6.2238091350305025
                    Encrypted:false
                    SSDEEP:384:48OXp2/qhFN63qM5Ojh6upbT+nYPLxsSJeeMDhD8w:4lY/qx6amOjjpbSs5JyhL
                    MD5:B6F3F106DA20D177E02D4E56B5D6A893
                    SHA1:AE985C1BF249B6F3A691125722B1AA70E4D7E358
                    SHA-256:B939CB96F8BBE726C2AF54164289160B475003B8799502C8D430557DB7AA14C4
                    SHA-512:2191EB4CFF285A5B5181EB3D533084E27AA0D0E150618FAD75E19EDD502B5AD5F30D62A2F47BE4D589A590418BE4B3A74DA90D53D2C3C2FEC89047261AD54694
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..Z....5..d....P..p............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc...p....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):47504
                    Entropy (8bit):5.452268056557045
                    Encrypted:false
                    SSDEEP:768:dlPX//UUVUmOjcTg96XCNJdyIK6RUotvfJI27A3aZcnaZs5JE:dlPnUy3OjcTg+awIK6RU6HK27A3aZcng
                    MD5:031829780B8874BDA5EED32BF036ADC2
                    SHA1:FCA10C50A0485060E008D59DD1E9C190CBD405C6
                    SHA-256:AD63F732F46AE568E7154E87C0F9E6168D11106268150FD8A216209FF6F1E93C
                    SHA-512:A14EFAAA6AEB6ADE88EFB43CED9171AAA07E1AA6DB8DA1F8E648C4A11598D9DD5CB8C4EBF16FF47730867157E6CA9C8CF0DF97A2729173A1ACA99F77EC10898E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..................................#...............................<..Z....5..d....P...n......................\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc....n...P...p...*..............@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):48016
                    Entropy (8bit):5.4915826823473575
                    Encrypted:false
                    SSDEEP:768:jlu/Mltt+mOj4sg96XCNJdyIK6RUotvfJI2K1+r2C5Is5JEU:jlu0lttFOj4sg+awIK6RU6HK25r2C5zx
                    MD5:7122C21D9E16E7094EBC07E68B99F73F
                    SHA1:C75EFCE31D58A52F38528C38BD65057C54223683
                    SHA-256:28A00A0D57730B74524E8A4BC92D6B6978501EF4AF17E1B167E7DC336897B7D6
                    SHA-512:0DD3C81087E0DD550E448FF45AD4CAF4C00319547C2F59681F5042A7EB3BAFA7FB68AC875F29DEADE7A7EE3E986BF76C5F1D36B88F7856F58E37735D82DAAD21
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...\.S...........!................q........0.....E.................................................................<..Z....5..d....P...p......................\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc....p...P...r...*..............@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):47504
                    Entropy (8bit):5.4757508694628685
                    Encrypted:false
                    SSDEEP:768:SlPX//UU9omOjvRg96XCNJdyIK6RUotvfJI2lB6C11OMEDNxz4bOZa413Rs5Jb:SlPnU0OjvRg+awIK6RU6HK2lB6C11OM9
                    MD5:23950C517F575019C4B0D9C73E2606D9
                    SHA1:A2FBADA16B788D7D2C4DF9C02A1894A10B93D657
                    SHA-256:A4722285CDE5D8B7BAC27C6453BA760304A992E5D27F46B624195B35CD4338C9
                    SHA-512:0A98F0ABD11329C63E505D011789CFB40BEA174D03481A5753874012A37028DAAF0C707DF16D9E6A9C5716F4CB64BB2248E4228803E08BCFA7A8D6132B3FF974
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@.................................m`...............................<..Z....5..d....P...n......................\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc....n...P...p...*..............@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):45456
                    Entropy (8bit):5.6704022816249715
                    Encrypted:false
                    SSDEEP:768:PlPX//UUNmOj3Xg96XCNJdyIK6RUotvfJI2Ht028hss5J3:PlPnUxOj3Xg+awIK6RU6HK2235J3
                    MD5:73635CD3F463E0707FF74449D3EFC2B6
                    SHA1:581839E5338998912BDADC42997116BD60FCE05A
                    SHA-256:07E9822B5436405432FEFE740269D6655043E06CDE4C66F8CE73DB8F4BE2A76B
                    SHA-512:B6CBE59074C6B17CFD3807040233F8BD9E76C99E9C0DB04B1BAFF53972358ABC19ABC6DB6A61DE536DE2E42E84101B6403DC6ECAC8AE98887179DDAFDA4E5DBA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...n.S...........!.........~......q........0....@..................................m...............................<..Z....5..d....P...f......................\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc....f...P...h...*..............@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommlayer_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):46992
                    Entropy (8bit):5.629984519036117
                    Encrypted:false
                    SSDEEP:768:jlPX//UUWmOj/Pg96XCNJdyIK6RUotvfJI2DS6dXs5JZ:jlPnUIOj/Pg+awIK6RU6HK2uQ85JZ
                    MD5:94F281E78208A2604C776513D60CCF83
                    SHA1:F52E84E8FD136A8C57A7ED86D12DA86722F31451
                    SHA-256:5F96DE78243529DDADE551F6F4B9EFFAE566AAB170CF015BA6DDD1711F5E5CB6
                    SHA-512:C7FEFB997933707829CF97B29013424E2225C002131C642530C2D21115698959A1657E94444958445A9BE5B5EBA55D2B4C79DEFB5890E20B9A38962F6032D32F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0....@..................................................................<..Z....5..d....P...m......................\....1...............................2..@............0...............................text............................... ..`.rdata..j....0......................@..@.data...@....@.......(..............@....rsrc....m...P...n...*..............@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):169872
                    Entropy (8bit):5.158698154278617
                    Encrypted:false
                    SSDEEP:3072:ilDoOjuP2Sknkgug+coXq347dwlv/IgLNnWeJe:iuOjuPLgOq3edwlv/IgTe
                    MD5:0151C67E7E7F030452FB89B191BF9ED7
                    SHA1:0B1A5EC752385174953A3A9CDD6D13F1DB141516
                    SHA-256:6F6F0547D69B472A9CF988D3BAF192DA3686AA34CDCCA801A24925525362F410
                    SHA-512:FC6440FD6AB0CB54C5F9B019CED82A0CD4D254C84A63E76D2359494FE4CFF1BB00F8EC28DDDC004C32953266963BCA87A89018843A698B007E05BB17020A3D62
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L..._..S...........!.........d......q........0....@..................................................................;.._....5..d....P...L...........~..........\....1...............................1..@............0...............................text............................... ..`.rdata..O....0......................@..@.data...@....@.......(..............@....rsrc....L...P...N...*..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):169872
                    Entropy (8bit):5.164996156764251
                    Encrypted:false
                    SSDEEP:3072:3lHl+OjFS2Sknkgug+coXq347dwlv/IgLDsG/NXbJW:3P+OjFSLgOq3edwlv/IgpW
                    MD5:7C792A8B44A11964568FA124E7D8E787
                    SHA1:ACC4A419383BABD9D8C94DD410337C34F7772444
                    SHA-256:A5C408D5CAD94DDCF30CC090F301979A6E96347843021CE855B48192707B073E
                    SHA-512:769FDBCB020AE705F77B9708F0CFC08B5DAAE0553714359A3BADE298FFEA81E48990686A16E02F093A9F2E8841AF6D812CC7C3A3E5C7A10DA2F33D7AD5E6BC7A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........d......q........0....L;................................*5...............................;.._....5..d....P...M...........~..........\....1...............................1..@............0...............................text............................... ..`.rdata..O....0......................@..@.data...@....@.......(..............@....rsrc....M...P...N...*..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):169872
                    Entropy (8bit):5.1618038454468005
                    Encrypted:false
                    SSDEEP:3072:0lDNOjGA2Sknkgug+coXq347dwlv/IgLIZfJf:0bOjGALgOq3edwlv/Iggf
                    MD5:9A73BE789E268F0629E3CFB69FFF5851
                    SHA1:5EFE6578B8F3F47BDF55D885D82C28ABEA06032D
                    SHA-256:452F8ACF33011209AA953DE9FFBC96766AB15E5A28FECBA681531BB06E239F2A
                    SHA-512:DD945EF1F9234B18D4400A8C88D98695B1410ABCF047B1F1E738D48A0AE38A794AB2BB88637E0970D7F779ABC3D022D960C0723AE77F708890C637EB58FE68F0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L...g..S...........!.........d......q........0....@..................................A...............................;.._....5..d....P...L...........~..........\....1...............................1..@............0...............................text............................... ..`.rdata..O....0......................@..@.data...@....@.......(..............@....rsrc....L...P...N...*..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):168848
                    Entropy (8bit):5.181229524294547
                    Encrypted:false
                    SSDEEP:3072:ilDnOjCV2Sknkgug+coXq347dwlv/IgLc0JZC:iZOjCVLgOq3edwlv/IgR4
                    MD5:CD4ABB2E05D28F55832F3D501A8B8654
                    SHA1:9E1F9F9D6AFD956A4740E33FB3171C2B2973574E
                    SHA-256:C4BF8E251BB3A3EE237239987CDDA7BE1C1AB50E5013B9614C482A0AE908ECED
                    SHA-512:4A92D3FAD94EE48B9B035E8DD9A7DED9394A613DC72A68459FE30DDF81B416637D4184542A3EDE3B261B04E8AACAFC1C59FB8690919AC776C69FF3D3C67BD667
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L....S...........!.........`......q........0....@.................................[................................;.._....5..d....P..lI...........z..........\....1...............................1..@............0...............................text............................... ..`.rdata..O....0......................@..@.data...@....@.......(..............@....rsrc...lI...P...J...*..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sacommoncontrols_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):169872
                    Entropy (8bit):5.187891592157573
                    Encrypted:false
                    SSDEEP:3072:xlD8OjwG2Sknkgug+coXq347dwlv/IgLnZJZ:xiOjwGLgOq3edwlv/IgXZ
                    MD5:85E0A322E880E907BEA5C293396EA068
                    SHA1:AA19AC662462D9F998EC39B89851F1AD8269D2A3
                    SHA-256:FC51189A120893C258317081FD34EA5F8EC70771F5F215BE0AB5891C1DAF0B9E
                    SHA-512:5147DECFFFD5319AC76617D70583749188322A1A3D5AC210C715F50901EBB8CEC1E569C6ACF761D27D92064E7518FA8CD4A37778BCD5B805022AF18CD929B33C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L......S...........!.........d......q........0....@.................................a)...............................;.._....5..d....P...M...........~..........\....1...............................1..@............0...............................text............................... ..`.rdata..O....0......................@..@.data...@....@.......(..............@....rsrc....M...P...N...*..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):35720
                    Entropy (8bit):5.699980524896233
                    Encrypted:false
                    SSDEEP:768:Plv/zQUWmOjB+sMCAYnxMWwjpyEr2ns5J:PlvLQIOjBQfWwIhs5J
                    MD5:16D174B09BDA7B3EA7EE8D6F3C42B3BD
                    SHA1:01CE8297241556791E0D053316192E5E3B8A49F4
                    SHA-256:AEC4023E3E53D04C33F9AEDE13BB539E28D85048BF33FBE3CC769BB76C2C20F8
                    SHA-512:5AEF424DC06CB0EE8CF701928C3A876430C817061AC2BE63F60555C9BA22506A840069FF07AAF96FAFAED1740178126D276B27FC565F70D3666E2EBF2B717488
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........X......q........0....@..................................................................;..]....5..d....P...@...........r..........\....1...............................1..@............0...............................text............................... ..`.rdata..M....0......................@..@.data...@....@.......(..............@....rsrc....@...P...B...*..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):35720
                    Entropy (8bit):5.739488301559148
                    Encrypted:false
                    SSDEEP:768:dlA/GO7mOjtusMCAYnxMWwjpyEr2As5J:dlAOfOjtAfWwIhr5J
                    MD5:1A17FEAA9CCF1D71C570A80540DD4ECB
                    SHA1:170B82251D410D85AF5B3BAA86BFE9428DF654DD
                    SHA-256:356E222865866AD0B3F1F04CEBD535FEDA4B007FB6F495CCFDD6AA8DB73D7127
                    SHA-512:00590FFF39AA48517D92E9C2AEE5428EB77A60B3753AE4EE0EE57A264B7A01F9EABD864A0F5DB1D9E75619A1627ECF2D75FD12EAE7D598FABFB040CCE96601B9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........X......q........0....0;................................{................................;..]....5..d....P...@...........r..........\....1...............................1..@............0...............................text............................... ..`.rdata..M....0......................@..@.data...@....@.......(..............@....rsrc....@...P...B...*..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):35720
                    Entropy (8bit):5.700938050279568
                    Encrypted:false
                    SSDEEP:768:Glv/zQUAmOjFANsMCAYnxMWwjpyEr22s5J:GlvLQuOjFA3fWwIhZ5J
                    MD5:9297CDCEE9DBB5C7205DF52E65944B02
                    SHA1:CFE7E126312ACD3DABFA35960A6B96AC783B9FE4
                    SHA-256:FEA217E672635223344C5CA598BD0A429EAB304024AAA56D6515479040A0B94D
                    SHA-512:62E5DE9A0EB901F546C0D9A2C4104316E38B09A17319DE1FC062D5E40473F08D64D3D5D3C96EAADA3DB6A3A9DF10312C96E02115F884DC11C3C3963990647DAD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........X......q........0....@..................................w...............................;..]....5..d....P...@...........r..........\....1...............................1..@............0...............................text............................... ..`.rdata..M....0......................@..@.data...@....@.......(..............@....rsrc....@...P...B...*..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):35720
                    Entropy (8bit):5.700224071324304
                    Encrypted:false
                    SSDEEP:768:Elv/zQURmOjWNsMCAYnxMWwjpyEr2Zs5Ja5:ElvLQpOjW3fWwIh25Ja5
                    MD5:434BFB0F53A2BD0F8A050CD88C12335B
                    SHA1:42C818841E78CDC79E315B778033A5D7442F1ABB
                    SHA-256:55885F3E64B37A9D9BB4785608A24F73FCE075D39C1C3DB5434AE95C8E5B33CF
                    SHA-512:6C543CE07368554BC766AF87D75363D4813B0E681215C75821C25D2233E42FF65A0687E9CCBCA98EC2A7B3BA8A89A14ADFA77F8B00E48912EFBC3DFE16C8ED59
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........X......q........0....@..................................................................;..]....5..d....P...@...........r..........\....1...............................1..@............0...............................text............................... ..`.rdata..M....0......................@..@.data...@....@.......(..............@....rsrc....@...P...B...*..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxmlserialize_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):35720
                    Entropy (8bit):5.701113352864286
                    Encrypted:false
                    SSDEEP:768:klv/zQUSmOjM1sMCAYnxMWwjpyEr2qys5JD:klvLQkOjM/fWwIhk5J
                    MD5:499CB9EE0005C2AEB9D222315EDE0454
                    SHA1:253FD5BF9C9A82DA45A539700BC9041AFE23F023
                    SHA-256:6F1A5D9C4B7AD37F7A7E68FF2309E599E5415E9BE440D15F9CB637CD5E6980CF
                    SHA-512:BE5D6499644D59D86A8CD1256CE05A93BF9D81BE8FA16CE81AC1DE7ED5C9C3C80FFF4CAB7D45DC892EA5C72D0E04DB55E3FFD2F0B045DA8905A91BBC942AFA19
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>.j.>.j.>.j.O..?.j..M..3.j..M..=.j...7.8.j..M..9.j.>.k.t.j..M..9.j..M..?.j..M..?.j..M..?.j.Rich>.j.................PE..L.....S...........!.........X......q........0....@.................................h|...............................;..]....5..d....P...@...........r..........\....1...............................1..@............0...............................text............................... ..`.rdata..M....0......................@..@.data...@....@.......(..............@....rsrc....@...P...B...*..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.225073586495531
                    Encrypted:false
                    SSDEEP:384:H8OXp2/qhFd6eqM5Ojh6IITBnYPLxsSJeeMlj:HlY/q56TmOjJINs5JE
                    MD5:7436CF837F0B3DF78D470B1E90AD7549
                    SHA1:2E0DC52F929629C5F25DBB6E1F2E4486B4C13F01
                    SHA-256:EAFC2AA83988A2DB2A3A5BCDD43440B5A1AD706545DC9F74CCD929AD99BDA9A1
                    SHA-512:886E98B03A30BAE5657C096FE9AE82C1887A92FC97EA6D6AC422E82076431D0776EE83CB55BF03E3096169DAEEBC9BD32474025BFBB2FF20A999B7CEBC8333FB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......UO...............................<..[....5..d....P..h............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...h....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.22387254503726
                    Encrypted:false
                    SSDEEP:384:R8OXp2/qhFh6iqM5Ojh6wPT6nYPLxsSJeeMv:RlY/ql6/mOjhPus5J2
                    MD5:427BDDCFCFCB97A7116DEF939B122FAA
                    SHA1:E2AF53FD88C8CED9836371F6785F85483C0221C8
                    SHA-256:A5248023C1820CB7C18FDA3BBA8EF5DAACE83809A8EC2E5825240111FC7F6527
                    SHA-512:CDAFD6D7A68FCCBFE9BED8723FE0DADD2F7B28B92F493E6D0B5EE060C0FEE72774DC7E68AB1BB89FCD71AE371832CBA86C869A49D6C33387F1BA45318A483DA9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...g.S...........!................q........0.....a.........................p......G................................<..[....5..d....P..h............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...h....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.222870888513638
                    Encrypted:false
                    SSDEEP:384:78OXp2/qhFC6+9qM5Ojh6hwTRnYPLxsSJeeM:7lY/qu6NmOjQwts5J
                    MD5:07A10B8CB9F8F12898699FAD1D38726B
                    SHA1:9F157D34DBD6CF9A4A4108D7B9A87D073734E09E
                    SHA-256:57EB99A96969EB41307896DAD70B7A778A8B75FF90864EF426ECF9080338669B
                    SHA-512:13A8992DAE1E7F0E3FB0C8070A495AB11DC23374B080838287E2A794B679EEC35801E92F411A2E3858EFE6C1C29F5609B18BAB45B7E984F386CC4954E2B6C1C7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p.......................................<..[....5..d....P..h............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...h....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.223537001151099
                    Encrypted:false
                    SSDEEP:384:u8OXp2/qhFN6EqM5Ojh6MlTknYPLxsSJeeMhJ8Y7:ulY/qJ6hmOjtlos5JK8Y
                    MD5:3889A7C1B1F184B09873375257B1471E
                    SHA1:6FCDFE6E2DD8C074F3F622E40923706A0EB519B8
                    SHA-256:ACFD04C9126D99253CFDDB04E3D8EBF9AE70D1C41D189EECC1047FF8879BA53C
                    SHA-512:F456020277448B9BF9BF20AC2E918E23C9F144AF4798F6382747AB212773A37307D2AFD87A1CE28A08A70DC0934711279E768C2F6DDA3CECA6FE22D9A9B7084B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L...k.S...........!................q........0.....a.........................p.......a...............................<..[....5..d....P..h............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...h....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\saxserialize_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):20872
                    Entropy (8bit):6.222713280731852
                    Encrypted:false
                    SSDEEP:384:/8OXp2/qhFV6HqM5Ojh6CtTZnYPLxsSJeeMGogrmg:/lY/qx6KmOj7t1s5J5
                    MD5:44B6C157A043E80B98CD00D510B6445A
                    SHA1:FAE50297344118F5FBFB34FA6FC3859CB365B561
                    SHA-256:4C2A6094B09C168D2BD2C6A3F6AA6BCF8F4254A530B6AFBA499F98734D07234B
                    SHA-512:17F0DD0ECEE5E0CDEE54E6A530681830FE48BF88517A845ED1DE724FD10C5BD850B5F43ED0ED0EF6DA6530B00093B81F70B9E5892E1D6E34CB3B17951CE061B9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..>...>...>...O..?....M..3....M..=.......8....M..9...>...x....M..9....M..?....M..?....M..?...Rich>...................PE..L.....S...........!................q........0.....a.........................p......$0...............................<..[....5..d....P..h............8.......`..\....1...............................2..@............0...............................text............................... ..`.rdata..k....0......................@..@.data...@....@.......(..............@....rsrc...h....P.......*..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smagentapi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):491520
                    Entropy (8bit):6.521122317413073
                    Encrypted:false
                    SSDEEP:12288:zL3gBlGuUrx0PDH6iksFluWb5orv5szppYR2Z3g55OleOn3n4g:zL3gBlGuUdVWGb5szppYR2ZwPOleOX
                    MD5:916B8C9AABA43052BEE40CBB325A33DB
                    SHA1:3FE8FBC1B83910B78FF75C2D2F5603BFCFBCACC6
                    SHA-256:5EBBE3811AF2F3523B8EDF57837EB59F3D7268DCF4BDC8D06077EF84B0B69E94
                    SHA-512:5AE0C85D37BE1C495297AAFC7CE881CBD9C9CAE613A816ECE8EA36BAB3FFA666AE34CF985415ED7FD33C968719F3136CA19D393AB960E1428BE855DEC4178351
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...G.I.G.I.G.I.O.I.G.I.K.I.G.I.O.I.G.I8O.I.G.I.e.I.G.I.G.I.G.I.K.I.G.I.K.I.G.I.G.ITG.I.K.I.G.I.K.I.G.IWL.I.G.I.K.I.G.IRich.G.I........................PE..L...VcvI...........!.........p...........................................................................................+...........0.......................@...7...................................................................................text............................... ..`.rdata..!...........................@..@.data....O.......P..................@....data1....... ....... ..............@....rsrc........0.......0..............@..@.reloc...<...@...@...@..............@..B........................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smcommonutil.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):25600
                    Entropy (8bit):5.466383758611866
                    Encrypted:false
                    SSDEEP:384:fiH31x3rNILgCSAkWugrvYpEpGo7emIX8A:K3v3rNXwHYpEbJIX8
                    MD5:746444AEBC6597424203806E90DC625B
                    SHA1:A00CD5EBBF4116EB4D269B4E2ABB2E8AFCF37BA9
                    SHA-256:02DC53D2D499C334F6A6B49B2F9E6C245D5ECB6A4D5FB2D868D24E7642F41923
                    SHA-512:A5104D08CB6B25BC6352BED17B3E1C7D6D12C9048C1F4DF648070FCD63315AC5592970178DC503B7360DE72C9CB08A4A66895371B6E44EE47DA203C3934A1BC5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..um.&m.&m.&~..&i.&h..&i.&h.&o.&h..&j.&~..&o.&...&j.&m.&2.&h..&j.&h..&l.&...&l.&h..&l.&Richm.&........................PE..L....bvI...........!.....*...6.......0.......@...................................................................... ]..5....J..................................x....A.............................. C..H............@...............................text....(.......*.................. ..`.rdata..U!...@..."..................@..@.data........p.......P..............@....rsrc................Z..............@..@.reloc..D............^..............@..B................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\smerrlog.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):102400
                    Entropy (8bit):5.687942971428088
                    Encrypted:false
                    SSDEEP:1536:GW3C5V65/cRx0vrg8iU/oeb83ud71zKA/bVPEnTCsiaVga:Gh65Kx0Ss18o1PbmTCsBt
                    MD5:F2DFFCAEB95430BF6B7528A99EFF1B1F
                    SHA1:721FF231C03E36EEC392406110CF3A99D8CDA02F
                    SHA-256:D7BD04B7A23283A65DA7BEA31639D5B14650768A549AB7A3EA74B3EB918544E4
                    SHA-512:1FB5CC5495969898DF9AF451C486CD2556B51D4EFE9EE8BC15EBC0E5E23A82796B8BE2E95DEED8E242085AD2C5ABEF6B4FAD900FB847FA46C91C510570C8D2F4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%c..a...a...a.......c...d...g...d...b...d...f...a.......d...q...d...`......`...d...`...Richa...................PE..L....bvI...........!................................................................................................@...........d....`.......................p......0...................................H...............$............................text............................... ..`.rdata...h.......p..................@..@.data........P.......P..............@....rsrc........`.......`..............@..@.reloc.......p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1218976
                    Entropy (8bit):6.555512557214084
                    Encrypted:false
                    SSDEEP:24576:NQnwB+SqAFsbGoy00mT944poipOTQiknz6XbbNjDCvCKixk45fH8SZf4aQKBS:axAAyMV1vziiCxxzZBQKBS
                    MD5:B9153BA27F008B5BE104A110CE3EF4C5
                    SHA1:F128845346BFA4DE29EFE2E41B6620448A33DE20
                    SHA-256:696E9A24F21B33AE2463F65CEE3638F10728A9A323AFE7FF96738FF9E44304FA
                    SHA-512:A39671D42193DE83D4FF782EE96468771FC7181F2E02CF9C1D620DAA558457FB018ACB991F28BE9E49D63B6669CDB7C409820B9D08B32304636C1BA6B3EFD1E9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y..*..*..*%5.*..*.7.*..*.7.*..*q..*..*..*..*...*..*q..*..*.7.*v.*.7.*..*.7.*..*.7.*..*.7.*..*Rich..*........PE..L......S...........!.........`............... ....k..................................4..............................................0..x"...................`...l...$..............................h...@............ ..........@....................text............................... ..`.rdata...6... ...@... ..............@..@.data........`.......`..............@....rsrc...x"...0...0..................@..@.reloc...o...`...p..................@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_de.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.9522215837440156
                    Encrypted:false
                    SSDEEP:384:bJcJZ5374JkJJpMJ9UJeeZpJJpAppDt2MPnYPLxsSJeeMGISe:wms5Jw
                    MD5:A862FA9C92CD6A7F1647BFE6C4B7398E
                    SHA1:2B599B7F134803BD8959EBDA51F11A2107445958
                    SHA-256:18C33C22A36BD96E9DE570129163CA5778D006525CDEACFD40A6C8D44B1940A2
                    SHA-512:2C2E1E3AE5DFCA6886BEF18BE58C5506F983CA81D24E093C71DBE1F1CFC1A6480290830F9E4A6E34A78D0D36BB16584A47E80564D0F416538E17A123C34917A0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......S...........!.........&...............................................`....................................................... ..x!...........*.......P.......................................................................................rdata..............................@..@.rsrc...x!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.961316195005657
                    Encrypted:false
                    SSDEEP:384:6H2JcJZ5374JkJJpMJ9UJeeZpJJpAppDtBM1nYPLxsSJeeMxw:ao8s5Jt
                    MD5:DB5F647991D24BE65476EAFEBCCB4715
                    SHA1:E6A1CC84551EE8E2F01CAC4D918C103A5B96A2B8
                    SHA-256:209A4C142875CAF6EADBF4948D4E8D329EC1F5742C64BDA65983AA376136208A
                    SHA-512:4C9E294933FFAA827D3D8ED869E98CDE9C9748FE08B795C73BCD5A431EFEA197C43932B7CE2E6D7A4B8403FB37178E722BE4FC43FAB1650F24CA0D18C0A8A309
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...H..S...........!.........&...............................................`......Z................................................ ..x!...........*.......P.......................................................................................rdata..............................@..@.rsrc...x!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.953062763851189
                    Encrypted:false
                    SSDEEP:384:SJcJZ5374JkJJpMJ9UJeeZpJJpAppDt/gwnYPLxsSJeeMxBGU:eVs5Jk0U
                    MD5:C28197FCB4BFDA8E5F7071903D01DE30
                    SHA1:35DADDA9BFA1F66B09880826C8508EE005BB1EC3
                    SHA-256:8EFB978F242B184836C21ECCF89994CB7EF83E73FE0A7F4C4FA2F2C303EF0DCE
                    SHA-512:F89EFB3C81A486D5457DA5F8B0A8F579D2D76105D32D1460DD9591C4BB0A39D957E2377AD07F2C4776F970AFBE6EA87F79BE7D065865DB750374A4EAE225078C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...&..S...........!.........&...............................................`....................................................... ..|!...........*.......P.......................................................................................rdata..............................@..@.rsrc...|!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.949429099170518
                    Encrypted:false
                    SSDEEP:384:QJcJZ5374JkJJpMJ9UJeeZpJJpAppDtsHTnYPLxsSJeeM/:nzs5JE
                    MD5:55B2D5B50E827BF1DE527E5AA060F0FC
                    SHA1:396C88F4F9C39FA45C568EC064EE3ED59746949E
                    SHA-256:C4915D12089E580EB08B986A5B7DCE5095E714877637424FE4C5EBB6EB135443
                    SHA-512:BCF4C8652C287AE37AEC6E280FBA5096CA328CA7A095B7A407C4879B5F8DDF7E1D573F17EA418661D04622381191236AEEF3E52AE7FFA7D3EA951CC355CB424F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.....S...........!.........&...............................................`......I................................................ ...!...........*.......P.......................................................................................rdata..............................@..@.rsrc....!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.952831846369952
                    Encrypted:false
                    SSDEEP:384:aJcJZ5374JkJJpMJ9UJeeZpJJpAppDtcghonYPLxsSJeeMrrQ:pvs5JorQ
                    MD5:63C054BAD8C08D49973CBA98B1F9718D
                    SHA1:F99D6DF3152D3E12C97FF077D07BD898A79496A3
                    SHA-256:8081129D57F15132A05D38A23E9A30DC422663A6D8DA6AF501C5A8DB32B1CB31
                    SHA-512:F642880BFA317247756B90BF576C9DA8B2D09F1BF88CBF8A9161EFAF4607078364367511B8118A655A83BA41900C876B1D81DD53573672BCBB9D37E719A2966E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...`..S...........!.........&...............................................`......z................................................ ..|!...........*.......P.......................................................................................rdata..............................@..@.rsrc...|!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_ko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.948815023180965
                    Encrypted:false
                    SSDEEP:384:Y2JcJZ5374JkJJpMJ9UJeeZpJJpAppDtXdenYPLxsSJeeMZ8r:Yios5JH
                    MD5:8BD2A91C4FF64A6E48F5B1CE7150796A
                    SHA1:D6569975B4C990563B7705CB55B472D52B0B52BE
                    SHA-256:3D89F8F8BC1B2530FD19AE7A2B642BDF5EA6B3DD2CDA8A9FD17EC3525DA7738F
                    SHA-512:31BE8311789120D35E972A4319CC77B580EA799630DD8D153E27D0112AE24197D4A0A2DE41D25ABE4123FA3D77E33B6DF1241D565F490F15EE7609BF3F983894
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...|..S...........!.........&...............................................`.......K............................................... ..t!...........*.......P.......................................................................................rdata..............................@..@.rsrc...t!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.951180667197063
                    Encrypted:false
                    SSDEEP:384:FxJcJZ5374JkJJpMJ9UJeeZpJJpAppDtIg3nYPLxsSJeeMKC:u+s5JM
                    MD5:2690707C06CF857579F5C76AB9FB6382
                    SHA1:AACDFDF09212CFD7117B3D391D604C9EC99663DD
                    SHA-256:635FA4E3E3C94084742FE68DF3BDAA1243D85083966C0FD6AF8E159F4B9702C2
                    SHA-512:EE2523284C2EC9F531099BB10F45FBCA69B7BF4E3A082ED87E352D39BE6573F42985FE2E1464036E13351DF689B1BDB87579D4CD99616AFE1AD69387AD3EF023
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...g..S...........!.........&...............................................`.......,............................................... ..|!...........*.......P.......................................................................................rdata..............................@..@.rsrc...|!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_ru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.956030612648236
                    Encrypted:false
                    SSDEEP:384:6JcJZ5374JkJJpMJ9UJeeZpJJpAppDtKMBnYPLxsSJeeM4aLT:Dos5JN6
                    MD5:50137162104B297CD72C91F5C77A09F8
                    SHA1:1F23E63B77576EA4684AD7C99FADCEF5D8E3BFF4
                    SHA-256:84224EC240F9288FA53ADE71374B252668FA7E291603EC22DB99F8990BDC893E
                    SHA-512:F2B5A5D50B225FE949E8CFFEB423B7687B06A60B0D61C6369A2470D1F7527CD9CEB02FD2C9C67D7752B85D8A429BB0A3393A169936881AF1EF7113B60EF95111
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...r..S...........!.........&...............................................`....................................................... ..x!...........*.......P.......................................................................................rdata..............................@..@.rsrc...x!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_th.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.954767390940788
                    Encrypted:false
                    SSDEEP:384:VJcJZ5374JkJJpMJ9UJeeZpJJpAppDtvg3nYPLxsSJeeMiA8:Las5Jn
                    MD5:7E79377D69F1217AD2AF8B5BA385F23A
                    SHA1:05DD18F1696F0FB1EF624F893D09195F7B868FDD
                    SHA-256:EB26699E1BC598810C906CFC3128BA0457147B3C11F971AA7DCB6BEF5BC64AB0
                    SHA-512:B7DDD13C93C20394D833C542582383D7CFDA958F3C323A4B42AF5F165D75463DF0B3A059D417AF9DE23C24BBBF3C79A753CD6F3B341000C3180680C69BEC0C17
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......S...........!.........&...............................................`......h................................................ ..|!...........*.......P.......................................................................................rdata..............................@..@.rsrc...|!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sscsdk80_res_zh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17312
                    Entropy (8bit):4.948886485319295
                    Encrypted:false
                    SSDEEP:384:12JcJZ5374JkJJpMJ9UJeeZpJJpAppDt2dJnYPLxsSJeeMz:17js5Jk
                    MD5:0B3AF174260C720C6C08675FA12C69A9
                    SHA1:B4D48794B63225A4D1717CAB8949383477F7D84D
                    SHA-256:EC5ECDE9B7BD362AA2B43DDE76CF626F11C5BD99800397064A4290F95F5FF5AE
                    SHA-512:7AA088A6766D46BE08C1B229BC025A7C6C77D79B8217AFDDAC8084D367A87E9F36015C2CD94B374B606B5EE38C7DD80E9184D3C0A25D47B2BE1729CAE3FE2579
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......S...........!.........&...............................................`......J................................................ ..t!...........*.......P.......................................................................................rdata..............................@..@.rsrc...t!... ..."..................@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u25azalea.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):82696
                    Entropy (8bit):5.8256030502551015
                    Encrypted:false
                    SSDEEP:768:mgm6ed8wCWxsx63OBoVKMMosHdrzPiz0qgOmua9Ym1iauDq55Q/Ct/frVmqnLbQ:mjd8wVoBovsBPiOVBiau25QKH9nw
                    MD5:88FC6ABA2F80030F35EFE7F3DE420B86
                    SHA1:C47260D54E0E5AC4E49388C0C1C888DC9153D08D
                    SHA-256:6DFDF30EFA6A8A7EB5BDC8319DAD5CE5B6573DBC17952469D3430B547533887B
                    SHA-512:A5B30DB79461A514EE6F4DA90BF8F31AE4CD0903130DDE61521B1D3C4D43462AA013A3C180492DA804B7AB110E2D8DB3982029E0D16E23D37A9737A39342883E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Y..Y..Y..~&..K..~&..@..~&.....~&..Z..Y.....~&..F..~&..X..~&..X..~&..X..RichY..........PE..L.....(G...........!................W........................................0.......n..........................................(....................0..............................................(...@............................................text............................... ..`.rdata..P3.......@..................@..@.data............ ..................@....rsrc...............................@..@.reloc..t........ ..................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fcr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):121208
                    Entropy (8bit):6.175261710378042
                    Encrypted:false
                    SSDEEP:3072:hyUgiODvMfsSJ+waNtr4uSWUABODLzkvJ:hyU80sSJ+wyuvWUABODni
                    MD5:154CBB4E19B7EDC76065F61196AED695
                    SHA1:25301B72E5C5EFB33C437EA663870D47A78B8F8E
                    SHA-256:1BE3AA1757BF48003B8ADEF6940B46518174E3A983DB98F0E7D54293B162C03D
                    SHA-512:6C13907A290EFB0D16714861067E01637FE2CC19C37B2726D836C8CB5B9D14396369CCA7B0F974BC99316A991ED6B2904F45215AAE968EBC555E3D088A7565E1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.kC.............j{.....=hx.....=hh......X.....=h~.............=hk.....=h......=hy.....=h}.....Rich............PE..L......S...........!.....P...`.......F.......`....SE................................................................P...y...Lz..........................x.......(....b...............................g..@............`...............................text....I.......P.................. ..`.rdata.......`...0...`..............@..@.data...............................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2frdef.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):170360
                    Entropy (8bit):6.137662174412747
                    Encrypted:false
                    SSDEEP:3072:GJU3R9N4mtWmFFNbRAHzA33MtY4D/vNWAKODAvEzJL:GuR9emtWmFKzA33MzDXNWAKODAML
                    MD5:E493BBE50AA76104C8DAE60EE1468392
                    SHA1:EDB523FF7891FA64E6977623E8F4CD6235B60AB8
                    SHA-256:A05BF78AF94F7664E1398B2E45A4A6209521A5F58433B828B7330C2B5D749959
                    SHA-512:3C3C75F99A995458FA43B92FF9848F0ABE5B773BD230CE9382BA10183FDD0BE92B98BDB14C52B377D705BA9C99A9B9D49EDB9AD19C19E7C9C7110BB67D7108B0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.BH7..H7..H7.....J7..o..I7..o..E7...8..D7..o..O7..H7...7..o..B7..o..I7..o..I7..o..I7..RichH7..........PE..L...C.S...........!................N..............?................................dA..................................{............@..."..............x....p..........................................@............................................text............................... ..`.rdata..[3.......@..................@..@.data........0.......0..............@....rsrc...."...@...0...@..............@..@.reloc..@....p.......p..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fsepv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):244088
                    Entropy (8bit):6.241150383510873
                    Encrypted:false
                    SSDEEP:6144:8+W9Hsp35TZ+d6x9USMlVDxXDuBrwLJGBBZjzakGZUwtAgODmVk:eq35TQgx9USMlVDxXD4U1GBnfakGZf1k
                    MD5:C951B89D22B0F12EB359EDE80113D223
                    SHA1:1C6392EE00078390E8D4F0D9E89366733A334019
                    SHA-256:5F99347A41BB17D14B8CE0ED6BDD68FF68515517A1E3A9855F8A6466543714C4
                    SHA-512:F4E561D70C4F348F2BE51AC165466241D87516B52D937BD8AF48394162EEEA5B2A11FB1E4137D51CB1D52CDEAD3966578FB7F954130B22358020993E1CA87359
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d..........uAt.....Cg.....Cw....!.W.....Cq.......(...!.j.....Cd.....Cp.....Cv.....Cr....Rich...........PE..L...V..S...........!...............................<................................;...............................0J.......7.......`..(...............x...............................................@...............L............................text............................... ..`.rdata..&o.......p..................@..@.data........P.......P..............@....rsrc...(....`... ...`..............@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2ftext.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):235896
                    Entropy (8bit):6.216798474119745
                    Encrypted:false
                    SSDEEP:6144:3jVE7V4xXD0IbbShlXpZL2VN8BbUXuZpwdLODkz++:3jVE7V4xXDZbbof4N8BweZp+++
                    MD5:3B82E6409BDC2F3F2DE8B45A1E1B5D24
                    SHA1:76CC181AC5F46E4E046173D5E390700F7CB0532A
                    SHA-256:000787CFF1338C5FE063C8EEE7EE1ED73E348F69166BACF8B0A36C7FCAE5EAD6
                    SHA-512:11B25B4A5BA38F3D29C657700A606FA51F12EA11D3936DCBE11C41C74459456A7A038D0595CC439AA05367F16EEF654A77533CC86ABC4F90CAB9790819CFC820
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Wq.YWq.YWq.Y...YUq.Yp..YYq.Yp..YRq.Y.~.YYq.Yp..YPq.YWq.Y.q.Y.~.YVq.Yp..YBq.Yp..YVq.Yp..YVq.Yp..YVq.YRichWq.Y................PE..L.....S...........!...............................A................................................................ %...............@..................x....`......................................P...@...............P............................text............................... ..`.rdata...I.......P..................@..@.data...t....0.......0..............@....rsrc........@... ...@..............@..@.reloc.......`... ...`..............@..B........................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u2fxml.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):260472
                    Entropy (8bit):6.1863365109217066
                    Encrypted:false
                    SSDEEP:6144:G5kKvk0gn4XIQ0I33CL0JyKW67ZVAgOjjbcq:G5hvk0n4eCLwy7+ZMcq
                    MD5:FBFC208A6C8F8D5E95B3C09D2B2A3578
                    SHA1:56C52C93D5287A64ED5B7FCA70BEEFD6AC858197
                    SHA-256:6C4C1E2924515814D92E1268233399EECBCC1F540E4D810C6E1418D1AECD1024
                    SHA-512:67ED57E2E918125BDFAECA1B7B3667733C4C8C5175E12261C848237E908A51BBC9466DDF4850B1F547F0BECDD512064068AFC4F1C538B697F5BFE60F90685A95
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.7.+.d.+.d.+.d..d.+.d..d.+.dE$.d.+.dE$.d.+.d..d.+.d.+.d^+.d..d.+.d..d.+.d..d.+.d..d.+.d..d.+.dRich.+.d........PE..L...M.S...........!.........0......i.............D<.................................E..............................0...7....o.......... ...............x.......<...................................HX..@............................................text............................... ..`.rdata..g...........................@..@.data...$...........................@....rsrc... ........ ..................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.9947759834191885
                    Encrypted:false
                    SSDEEP:192:iEGMG6/nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorocYLYO:rGMG6/nYPLxsSJeeMTRp
                    MD5:FF9D970735FD7013D00F13CBC0207C15
                    SHA1:F96BEF58D832F82A2D695E24EF02859C96FCBD64
                    SHA-256:41CBB1466560A0415882838E83E6DECE19D2E20A584AE4A3F5AC72100F20588E
                    SHA-512:EEF93EFAAD96EDA758201629F66FABFEC84ADE2F69AECFE9E2CEF2816FBAD1DD07399352AB1BA9836DC17DDBA966FF0A25D3F18A8430351EB5700742BC874F11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......b.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.006217818164916
                    Encrypted:false
                    SSDEEP:192:/G6LnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHoroDYE8:/G6LnYPLxsSJeeMn8
                    MD5:819461C8B8562EEE82B21AE57F744ADC
                    SHA1:BD27990E9669E2ADD7ABCDCE71B83816D94794A3
                    SHA-256:DFF4F6930C7ABA22CDE3F675AEEEB9A1A363E3DE8AE71CF4C9F108B43127FB62
                    SHA-512:0CF6C6E4A32EAF297721B628E7EF9B8DF9346B7683343767AB1E550255CE23B1BD4EC1FA278A6EFA29385FA61FC71B0A3A2FCDAB578F23EB9C778D862313DB4B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...&..S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.9901174425124575
                    Encrypted:false
                    SSDEEP:192:TG69nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorNe44F:TG69nYPLxsSJeeMmk
                    MD5:5766C619516263BBC70C9A9E9F6F0363
                    SHA1:AA17137D1D443DF0102C321C08719C39B6E2BD70
                    SHA-256:9DB202F5105096BD156B3E4A9175F7519DEA3F01BDD673E35497DE16BA827954
                    SHA-512:A2A4269226982BB048D27AF2A730636A04955075F5C9E2E026370B88A96C038FEFB271539FB16C68061247C8E9120C1876B553F4F30657A90672A790F9A1CDB6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...t..S...........!......................... ....@..........................P.......I.............................. ..P............0..,...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.972011129850402
                    Encrypted:false
                    SSDEEP:192:w80G6MnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor+Kcg1:iG6MnYPLxsSJeeM5KN1
                    MD5:243BA0EF3D9228A28CAC5BEB6C268B6A
                    SHA1:1D11CE1F05BD8386C00538D9AE822EE9C4D9AE6A
                    SHA-256:23E6F611D17A0530452BF3E889F70C7EEE02E70BB3AF145E9FDF8DCBCBA47F80
                    SHA-512:80A86619E7CA751FF2AAB9C4564AA4FD58C4A119C5B2139FDCD7056F0D577639D14CD81B83D582390D48D40C945C4E8C264218E3DACA28527EFEA689036BFBB6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?..S...........!......................... ....@..........................P.......3.............................. ..P............0..d...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...d....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.981283482769776
                    Encrypted:false
                    SSDEEP:192:c+BKG6hnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHornV:nBKG6hnYPLxsSJeeMK
                    MD5:DE9C019A07DEC4B7AF0EA87EC1B1C8F9
                    SHA1:44FC23D5E190E6C34172BEC02757AF3C3FD596A8
                    SHA-256:5B3E897B346D33531D30970F4FBED223A3A7A5E11E7AD827DD9A2216DCABAF5D
                    SHA-512:7FFC232ACF6ED93AA91FEA98CD02124B0F99A5052C998B228FD8CF8C2A0CB99BB989F4AD458A7030A605AB54C41457586540E18531FE409E1A109F6D9795CCD5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......S#.............................. ..P............0..L...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.090604785974706
                    Encrypted:false
                    SSDEEP:192:YTT4rG64nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorJ2CU1OFVs:KTAG64nYPLxsSJeeMOKOFK
                    MD5:95A0550FCD959969A29F9329BB84DDD1
                    SHA1:EED66EB34F5B2707CB8C74A534CEA61E74E9AF85
                    SHA-256:41DD19BCD2D4DE04ECAB56259DC11AC9588AE1663BF855667B25BE1B7CFD7804
                    SHA-512:E4388C27345A7359537CD0AC3351377057B461308B3DC05B33E7877C4016C1E366086F23E6ED5EF481816BB8E53BA3129851E8781C0E196CA485699370C2D5C1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...b..S...........!......................... ....@..........................P......I............................... ..P............0..H...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...H....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.986564748667438
                    Encrypted:false
                    SSDEEP:192:KG6EnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHoraF:KG6EnYPLxsSJeeM7
                    MD5:87C9F4BCADFCEAF8E246D3E082D1DD64
                    SHA1:03A4E599ACF262AF903A476493C9A2540A7D2F9F
                    SHA-256:CF7F908332F59E755C2B8A98AD8C29CDFE28429689E38CD5AB429F9115016FA8
                    SHA-512:56D21928931A103D7784098425992A237BB259DC788CB712AFE16CB99461A41977E04944F46ACBBDE36DFEC61C226B59CA9885C9A5D350EFED64DD429874C82A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......X............................... ..P............0..<...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...<....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u31220sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.990911969359506
                    Encrypted:false
                    SSDEEP:192:k/G6qnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHordyObrwK:mG6qnYPLxsSJeeM+
                    MD5:2F4348F60079B01AA59B30A0DBCFC4BC
                    SHA1:473FD91AC8619196CD7B1CA4AFF3649AE39AED73
                    SHA-256:9B787A008BBDA3772C379F1546F1CB7BA9785DDB5FB260A0219DF66C931009EC
                    SHA-512:FA5C894071CAD0DF29619DA29DFF437B8FC43FC11E0BC9EE658C6ADD66472824FE155305923F041B19B4571E10C5DBCBD16E809B37D8B0183D99A01C598D5C07
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......=............................... ..P............0..(...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.944888805049228
                    Encrypted:false
                    SSDEEP:192:ZaD1bRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorrmP:cDDnYPLxsSJeeMei
                    MD5:532B7DC088EB421EB650F37D8F54130B
                    SHA1:ADD6230CE691AEA06C8D4D87BBEB52BAD30472E3
                    SHA-256:14964552A6C614E24EF013E491B99D857024D96091F0B2D0B440DCA84400DD70
                    SHA-512:A124816838F8A8EAE36419D36E9B07276D0FCCC70CA93C332B3F09B32AFA302758091765C42F4ECD3C549017A0C64DBDC41E53ACE9CEA95A3F06B57BE7ACBDC2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...0..S...........!......................... ....@..........................P......=............................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.945589550280178
                    Encrypted:false
                    SSDEEP:192:gaD1bHnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorEETR5:HDRnYPLxsSJeeMOt5
                    MD5:67B477F5090FB624C34E3ECB5714DC48
                    SHA1:A5D146705D4E64DF2DD1CBC4F0F650D73760C146
                    SHA-256:F9F40BB8E01F4E661B6D31177D59D9161DFD34B7F06EB206C805E418724EB9F1
                    SHA-512:64B8906E2F77C99859993698FB95029DC7C8D7A558CDE930B2E1BE778583D1A44C9820CBC014797439467156347A8C37D4EDAE840ACF5C5B36AAFFAD9FDAE07F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.944902012118886
                    Encrypted:false
                    SSDEEP:192:eaD1bEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorU5a:9DOnYPLxsSJeeM/M
                    MD5:DAB9E5921A6A186D0510551BC336AA0F
                    SHA1:B7D4A8F50D125DA5EEFDC697A2993A3C56E89FB6
                    SHA-256:AA328FDCEC175AA814C35CF9593ED95ABC8F8B7E3875A66D0508F71D6716D8B1
                    SHA-512:C0FC32EE60872B1DA05A9CC4D0223E6636EE0ECE8DD0DEFFF363CA84FF25E95270B358C4F2D7F5A47E0BEBE3A37A6F29B9A2038E3D9AC4D63321F915454F2CE7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......x.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.016077903450713
                    Encrypted:false
                    SSDEEP:192:t4ijD1bcnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHornzs:t4wDGnYPLxsSJeeMeg
                    MD5:6E6D03B049B193CBD3E5B1841009BB57
                    SHA1:91AC77418EEFB16986D17AD4639CDF320CA97CF9
                    SHA-256:E3EEB02CD653D83F155C12F6B536F5B50F5ED0A428145060614BA6C861F152CD
                    SHA-512:4EEE6F234638405FED5B45F388B2E5412F0DE8EB1176E4106F4666C83EAA2FD7C5B88827C9044A1ACFBA267AA5B7609AC31E56D2A7EEF0041656DBC7DAF5B0C8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......._.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.943237433979038
                    Encrypted:false
                    SSDEEP:192:ieD1bDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHordnL:tDtnYPLxsSJeeM+
                    MD5:AE933F498B8E910FB1A29197CFDF8137
                    SHA1:3B81911ABC6357716C45A90312011500757B17BE
                    SHA-256:7B6F86956231EFFFF8F0F6E75F4192EF4D6BC288D5C359A67900FCCE557671AC
                    SHA-512:B224CD6974B73B774DFDE163DD42F1D635DA365A526EDEE158C42718C5A6E7666C238E60165FD75E735E4EBFC1DDC05E45CEA0ED39F0EC6CFA808FA2BE354174
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................P.......Y.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.015825671026806
                    Encrypted:false
                    SSDEEP:192:1soD1benYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorVBBK:19DQnYPLxsSJeeMIm
                    MD5:2E5330402F7AE6D28F8BE588FD6536EC
                    SHA1:CFB9B07A7AC18442A681382AC360F0C2570F4D7C
                    SHA-256:A8152D420F73AB8C113CDEF677E11E3E9DB760A37C0D5D6D52BD4855E7D7B16C
                    SHA-512:EE47FE55947DF14A9B3C56B403C2311126619A5FE2A45E9BBA4FCD4DD9AE5990FB401F58DF46B0C000C746716B17B11354E8E7FC146617A6712ADBCEE0A555AC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......z.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.009315334772472
                    Encrypted:false
                    SSDEEP:192:yzID1b0nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHora6W:ysDGnYPLxsSJeeMz
                    MD5:37DF0283D5DA720BEAD312C7CDD94948
                    SHA1:8B289E57299E412A56CDA245588691096FD77B09
                    SHA-256:4A153E9BE4DAC8A2FC52C425975EE9748EE7780F53A01EC524993AC9F68611F1
                    SHA-512:EB25D22A4367CB813AB95568F094A14802BDBA5668FB43510882E4DACAF65AC8FA131FDC30E3B2B27C778662535712C01F581FBFDC6054D5E11B457F39008537
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......D............................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312dtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.951458853632373
                    Encrypted:false
                    SSDEEP:192:ZnHD1bfnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHoriXC:ZHDxnYPLxsSJeeMY
                    MD5:FD4BD309DA7DB8DBD8017841602E821E
                    SHA1:CA0140EEB7D3D185D53ED1F5B64AF7EE5A220CA0
                    SHA-256:B8AA9DEB71DC19F3F47E3ED0920291788AD3C54B1FE2031C249D085A0C102989
                    SHA-512:1F7D99FFD776609E23DD57F58117697D00FF37460F336C7AB352CEB6C887D7E1500BE3E507EFA77A909C20E32D81FD69FA4EAFF68AD815D255EFD58AA85D8C08
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.7282134983037185
                    Encrypted:false
                    SSDEEP:192:oy95zvolABJUEnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorp3k0w:VzvoOBlnYPLxsSJeeMH
                    MD5:A6C1F304B33C4118DEB2B7633A1A9BF7
                    SHA1:D76A34A2735FBA912C4C63A03F5093D0D2CA7290
                    SHA-256:4E8AC6A2CFDAE3079F9895833894DCF5324D5919F2186671BBED9EF93DCC7B79
                    SHA-512:35202551AD0BFEF86614F6654C1B150DB4C465F7AECE22070F50D7D8C10E31451B5575E0CE1366CBC937D9C7C80C830F2445FABC41FFDA0293F60DF8EF07C679
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...#.S...........!......................... ....@..........................P......R............................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312fren.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.742325732548068
                    Encrypted:false
                    SSDEEP:192:zbYz3XlABJUShnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor76fu:fYz3XOBdhnYPLxsSJeeMHu
                    MD5:B4A5CED470B7566EFA718E0D22131050
                    SHA1:EB2635DED583A30FBB364DEA86B9403899BC529E
                    SHA-256:0E14C2E2CE8469F16383FC02689FFC19E67C90AAEC1D512353100F328853C548
                    SHA-512:F68FD9143B1BF13179D6360B49DB116DAB056ABB7566AF4193329E3C15E5B14DCE6ADCEBEBB0782029F16374AB6171F200F993F9F2437E85FA4C33F61437CEF0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...m.S...........!......................... ....@..........................P...................................... ..P............0..P...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312fres.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.713715464741184
                    Encrypted:false
                    SSDEEP:192:VllABJUonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorofU:3OBBnYPLxsSJeeMnc
                    MD5:6FCA50EEF88AE67A31277E292E2F478B
                    SHA1:DFBD76ACB8EDF2D3946B155A5AA6621A51CEADA8
                    SHA-256:90392D12E3357D0F30B5D657D3C540C7070EE92154A58B0AF5599ABFF66AA3C9
                    SHA-512:9AE7AC312A871C3F3AA8D0C3B8BFB09C829F0AB37092D9B5A628DEF96D0FA4F68653A8B85B8C01066B960C823C11AEFFF286E418EF0182F959D0E6019A71F2C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`..................................... ..P............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.745283188863553
                    Encrypted:false
                    SSDEEP:192:H8lABJUcl6nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor51f:cOBz6nYPLxsSJeeMY
                    MD5:2A6279BF4041C21C36F34672FFE5EB7A
                    SHA1:2CC8E43ACE335D7C9026585093E5C42DD56C44BA
                    SHA-256:059BC45950D69C006C4264DB0A644E43C33356FFBC8EDF67E50854925B573D0E
                    SHA-512:AB5D3799979FA501A32D59091E78B78DFC32D27BD2CEF37F099B05615B212C6D5865B6056707403AB8D809487942D1FAD41F37E364B5066EBBA7D5CE28AE140F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...v.S...........!......................... ....@..........................`..................................... ..P............0..l...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.678994917371953
                    Encrypted:false
                    SSDEEP:192:9f7lABJ4nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor+bHj/hQ5:9f7OBunYPLxsSJeeMFD65
                    MD5:AEE4563BD6C3D4A60DD30F66B34E1D27
                    SHA1:824ED4C739C92435804F60C0307314AF87E48088
                    SHA-256:F1B284E4599649B222F22F907E1DD87A7CD3CECEFFD316A0738097A1788A4152
                    SHA-512:9DAB5AA7C8FE10C7D7D4FA9125C67A584AFE5511EDFC1BD31ACDE8966DD67AE20CCE6B8573DC89A3F8379DACD828D0544D9B5F810EA65934FE40802B025D13C1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):6.044378580905718
                    Encrypted:false
                    SSDEEP:192:OOhVxElABJU8nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorTeY:5faOB9nYPLxsSJeeMWx
                    MD5:5E65F9F1F4770881269140127794F18A
                    SHA1:BA834591A40CEB569CE1E3A584D44A76C335B239
                    SHA-256:C8DF49E4CC6383E15D9561F8FD2F0816CEEF2E5B6553D8754162C30159BFA73A
                    SHA-512:9996FDA51F9F34E4044EFC67DA4FDC5AFBDAF89EBDFFFED2B7E76390D6163AF9F60096125F6A108A2EBD81AEB23685EC1E906931F1030B514D49B7047519702A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..P............0..0...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.789775894186176
                    Encrypted:false
                    SSDEEP:192:hwqDOD4f5lABJU2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHoroXrHh6:jDODuOBnnYPLxsSJeeMnT4
                    MD5:5CD72C5BFA6BFE1ED99E9275C824883C
                    SHA1:46747927845492DC70EDF907516D1AF41DFBED54
                    SHA-256:EADA7CDB374E3A7306D6886245AFB5676D1D15F55B37CD8FEE9F5AE676F38C8F
                    SHA-512:633D1B20F1B4C081747B8917AEFB775328755E1BEC37BF10E3D5C51357E8298D9BD3D6EC2C95AAEEF48B4724759A7259BD57899C39123010A78DEA55B31972B8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...................................... ..P............0..T...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...T....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312frsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.749796571847451
                    Encrypted:false
                    SSDEEP:192:vCX6PUwP6KlABJUfnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorCcG3pK:vCXIBPrOBanYPLxsSJeeMs
                    MD5:67D84B7F10D5D59A20C46AF913BF9FE3
                    SHA1:D84390B0062A427EF8E2722E83BB1A85139D2702
                    SHA-256:760C085F53177311C1E3843A4381B43593FDFD2225EB79DCC78B6859D6502FE8
                    SHA-512:DA10A4B4EED1CCD41187029A745FD9B19B9DDC0959D7D495E4578092F862E9899985FED0F6D00412896CF66FD15CD4BCA2CB78399B03031BA12E819D9DCA3DC8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`.......n.............................. ..P............0..D...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...D....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sada.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.026518103538181
                    Encrypted:false
                    SSDEEP:192:zHh9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorPh5:zHjnYPLxsSJeeMk
                    MD5:CDC366FE8423FBE7898B723572980CCF
                    SHA1:AF11684A8A1AF65D0576482EB8B8EF26125AA84D
                    SHA-256:4F18B9449BDBECC8DFF3AEC0E803BDAFD91103B7700FF861AC79F38DC29195A4
                    SHA-512:552E54BDDA99A8D70CAF799D732975C5CA160908F8DFBE75D23095A39CD4F4FCA9A95E832F3C2AA63F0BE6900760AF49DF04BBC29661450F3FAED27C58663F3C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......7............................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.031261009455922
                    Encrypted:false
                    SSDEEP:192:EjHhWnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorte83oR:wHMnYPLxsSJeeMUe/R
                    MD5:9633BFB3101807C95D33978F0AB55AEC
                    SHA1:0632966ABBFD679E2EBABD79CC532340AA81B3C0
                    SHA-256:8D15E34AB36D6BD37F6189BDF573F1636B3199BF635C43CC7E8069474E2B1355
                    SHA-512:032BF574814426F2EEF2D7698AE8304A8125AC4DB136C9D84857F63088D69B7DDEF39140E11BC666ADC3A9E52544C2BE8AF4804436029AB82D8F94FA0D5FCB29
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......=.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.022028138562913
                    Encrypted:false
                    SSDEEP:192:vHh2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHordU8yD/:vHonYPLxsSJeeMYwj
                    MD5:65259B698A6FFB34EE49C84E6062AE22
                    SHA1:442F2A6EABE6B3EAFAD78581D90D3A7A15980732
                    SHA-256:B9A2CE25DC31B13C3FF98D3220C9CE96CF036B4B1792260BB2D84053C908602D
                    SHA-512:C68B809E2952227CAC84C3654382B20C8589AD1B6151B155E95434848959DE3E7617A92ECE66C1C89AC678535A348CAECA8EAF84890B3A9C0509B7CE2597999D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...".S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312safr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.029529409053026
                    Encrypted:false
                    SSDEEP:192:/HpXHhJnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor1x3vYl:lHvnYPLxsSJeeMh
                    MD5:63FE62E66B6E4ADABF2417A34390D4C4
                    SHA1:21909F6BCC61ED046B18477FB160A14ECF07EC45
                    SHA-256:78409AE6750D67C22495B52A99D537362CCCB58580C3B814399FEC2229F63D10
                    SHA-512:07A6BA65AACB029B0A0989818CD215CB143941300691233EE4AFE45127646CB5641817995206F16BDA6448933C546D5B41A8B004C2EEEED86F58B376D900BC8F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sait.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.019669043102984
                    Encrypted:false
                    SSDEEP:192:ZEMHhQkDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor9m/rzSi:ZEMH+kDnYPLxsSJeeMXT
                    MD5:9836DBD6C98F070066661E75F1F99366
                    SHA1:16913D9CCE7D8AFCE376D9E3415A06A8ED73FE38
                    SHA-256:15A58FCD4096B09C927DC5E6C489137C2C697FC7A5A2D522AF6AF5B38B282BE0
                    SHA-512:40A1D90E84470A83F98AF2E0AF9A6470A5A93CBF95A381852F00524281759481CC01B26F6EF6B1D5E97401EB02EEBA7EEB3602273C097F0DB9A5C53B929BF810
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?.S...........!......................... ....@..........................P.......<.............................. ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312saja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.058445789383499
                    Encrypted:false
                    SSDEEP:192:U1JVZHhNnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorwZdUK:eJVZHPnYPLxsSJeeMT
                    MD5:CAA10A7543CE4038740D289DECFB29A0
                    SHA1:EDFB1A8DFA1958FFE0D480254B625B1557E33AF6
                    SHA-256:B4C3D990DA2DF0B464A7340B221A472F8F9E85DB99C6C30E76BBF66A1BB65437
                    SHA-512:6D20C6E544230B769445F693187A73DDF3C78F900D42A190431C83CCA40253BE4934BD38B4B52E52C1509B69275D88FEC2E00991975F49C327B3694F88009A52
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P..................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sapl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.037786708708654
                    Encrypted:false
                    SSDEEP:192:g64EpHh+nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor1WXTYg:g64EpHgnYPLxsSJeeMXcg
                    MD5:6D70459CC7C5418B85CC10695D870AA5
                    SHA1:92EB31E7B5C3E6EB54F1597264992E1E6293BF72
                    SHA-256:FCBF58AA17C7F7CFCF93184492012E55C7517F3B3936397B388189DB9ED8BBB7
                    SHA-512:46510ED9AD44C46DF589196B6AB2BE1CEEC23520DE52AABD37A9420C7BFC5AC347A870F339369ECEFD74421DC6C1BB3B4D36924AD6EF01FE0D4194ED0178CCA7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......%............................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u312sasv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.034578705990287
                    Encrypted:false
                    SSDEEP:192:LXHhrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorJpy8zr:LXHxnYPLxsSJeeMQpDX
                    MD5:C710FAD6D1FF55F1B86A1E2C2F7E8B62
                    SHA1:8C2D4DAC3AE69FF83B84D00E537FA5B14DFE42E9
                    SHA-256:F977EBF8050D7DCFE588F3B2AC06152A0FDA2FA12B6AF8B924C58A97208F52E7
                    SHA-512:7CACB87CEFF13D33275752A8C29CF239D21521B7A4A1F0EEC70CF92714343C0241385FF783C28D21FAAC068564CC6C0C818FFECE597EF499EA832E889E73A33F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...x.S...........!......................... ....@..........................P...................................... ..P............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.0519778262058255
                    Encrypted:false
                    SSDEEP:192:CD4RnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArv+HN85mdv:CD4RnYPLxsSJeeM9HKuv
                    MD5:58FAF3555A903FDA910CBACBC2CDEE06
                    SHA1:DC0F9D3087ED2831FD83110F55AA21BD0ECDEA36
                    SHA-256:DF99EB81287331F1C60FAF365C247C32012288163DB3312FDB23F2D814014D26
                    SHA-512:931CF3C354D789426401687871D3E9AB41737972AD1D9411D3FFCE7016E4569FDD1A976664C3AB0A84A5C9BAF2D03BDA5A6A376D808965AB1BC79D1610A990A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L..."..S...........!......................... ....@..........................P......<............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.9924584382320365
                    Encrypted:false
                    SSDEEP:192:4pD4anYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArT+:8D4anYPLxsSJeeMZ
                    MD5:3F8892945F516655A8B7835197AF58D2
                    SHA1:4E6E1D4837A69BA4454545F7D4B4DF26B2263CFB
                    SHA-256:A0CAB28939FFE577AB31CCA5C35FA02916017F4FDE10E7EEDB79B1FC0BBF5A1F
                    SHA-512:7BDF164DFCC1B855DC19D21E6CA3A600689729683F2012DFA9D9AE88857E9DA04BD5180534AAB8AE891B079D665F5F2BA6DCC3BC71DE8605F98CF6C24DDF2D96
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...s..S...........!......................... ....v<.........................P......1............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.050901704256976
                    Encrypted:false
                    SSDEEP:192:62NYD4OSnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArPgUW:62WD41nYPLxsSJeeMD
                    MD5:CF8C874796121815F1A52717A79E448F
                    SHA1:4049750836608C729941A7C9DCD186CC1A6944C6
                    SHA-256:CA46FEDEEB4E4EF6283A7C0C8AEE15D5B39D42B5C46C885F16A5936AE7E99ED2
                    SHA-512:22EF7130866668EB68DFF131AB3755F3213B79B1E510DF6F3C56034FD66709870EEDD4495119964394F984E617D7F2E51E7A95E3C19209F382EE57D3440A84CB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....|<.........................P.......U.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.050427165542923
                    Encrypted:false
                    SSDEEP:192:s8TD4xnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArqo:1D4xnYPLxsSJeeMe
                    MD5:CD6950910CEF762C13AA04938DDAC0E1
                    SHA1:408DBB8D38D909BF2F7BDABCF8E7097506AFA130
                    SHA-256:4E0BD9DDDD3C55F597A471C8A62D315D7D59D2254DAE57E41338593B5CF1B630
                    SHA-512:542D2D81C08C96E9A0742C457EDDAFBF29017A7160E2CC3B9104375F17F4087076C5D367B6553B84DAA3A5B3E2CD7AFBF1A20DC244DE1A1CCCA305FFE699283D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...|..S...........!......................... .....<.........................P......x............................... ..O............0..@...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.0515080230854945
                    Encrypted:false
                    SSDEEP:192:xQD4unYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr3emq5+8:uD4unYPLxsSJeeMQee8
                    MD5:538C44446762526E3C23741531071174
                    SHA1:D1DF8BC31456FFF624C6C14993B91C904262EF6A
                    SHA-256:46BCCF9BF8158CCB756555010845C037B9ADA31F82F06AEAEBFDAEAC5B2BFF0C
                    SHA-512:116773F15C6EAA1EB1911875BAEA4A2E642E5C78980F10B35E822BDC56EC8F7442DD422FFFB991190F41D44946D58B08F5444AD943FDDF9E9D1798F0A437D176
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....=.........................P...................................... ..O............0..$...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.045674105653468
                    Encrypted:false
                    SSDEEP:192:irD4PnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArGV9UXGJ:irD4PnYPLxsSJeeMNt
                    MD5:A534440CE036937FE3D1A86DD982164C
                    SHA1:133AF3D220B7024F697B3FD376F425963EF9AC02
                    SHA-256:37CA3D12BD257A3DB8BD02075D6703C2ECF76A550DF479D2717195541A918BF2
                    SHA-512:C31EE61D1A7649A42675153818710974B13FF22E3A2A41477D50A58389D405B14BFC90DC7746A337B591C44EF099A48F53759550E9785C3907E0C15B03C7FC73
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.054669091971493
                    Encrypted:false
                    SSDEEP:192:zD4gnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArf1MoNi:zD4gnYPLxsSJeeMEDi
                    MD5:DE8C342E524B214CD5F99FAA6A29084D
                    SHA1:D964F70D8A85FB163723263921980A1CB0FB21B9
                    SHA-256:EC8630A7469B7AA9E23C7BC86FE280734EEE280013CFC948874C37A88D7BE827
                    SHA-512:ADDB3C9B1C39AC328BAD306D464DEE6F212D860872C292AC03B63B914725F326613A710E965D4EB950AFA1DA236D372A31441C41178D408AD5F8155D316B3484
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................P.......c.............................. ..O............0..8...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3520sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.054168369266338
                    Encrypted:false
                    SSDEEP:192:rD4RnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr+B:rD4RnYPLxsSJeeMP
                    MD5:DD6C103287CAF2845E94336048106BBD
                    SHA1:DD6B516C5202BEC85FBD85CA7058AEBA5039FD1D
                    SHA-256:F3EBED90DDD84FE1BAD46E340FBDF755660054DC6BB1029DE3134ADDFB1BB6EB
                    SHA-512:D4D7D7D92BBAC35C4EAC78A38CB8A6D93A4F61E8D23FDF372EA6664DDA4BBB0ADFCEE8896BEA56B82FD92ECE349DCDBCD87B948E77947A704D67C15999141AE1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....H.........................P......,............................... ..O............0..$...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.058337908926688
                    Encrypted:false
                    SSDEEP:192:jNZYCA9onYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArM0CPHei:jrY5onYPLxsSJeeMDPei
                    MD5:5221BFFFAB8D2F96B9081FE725FFE4BF
                    SHA1:44E1D6F28A57946AD6D20DDFF4003D90BAC32E56
                    SHA-256:CD82A23241C69C78EC3C7E84F652CC957205AB35619391FFD9E7B1F35AB32CB5
                    SHA-512:DF813D58BBF776096B9BEDBCBAE765A56697D19D0D36CD011B9FB72B032F3245D485E9589FCAA33DFC1CBCD452BBA9564E7F98A70568A7F936525E5E955D7519
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......n.............................. ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.056800992748223
                    Encrypted:false
                    SSDEEP:192:6ZYCA90nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArZn2:yY50nYPLxsSJeeMv
                    MD5:8BAB575B8CFA6F02D87D5636E89E3228
                    SHA1:0339FE909C9EC646595B8CCAFA502DE3DE46EE0D
                    SHA-256:E1B05AC9CB4A1FECBA389B62388952DFF50824290361D5128382E95E0992EDDE
                    SHA-512:AC566509DF0E7FB5E9CD5B360B2221DAEDAC8A0525C6855DF8B550A159A3D5A2385C97594D0FC4283E2CBB702B4A48B1ED286CDB9F6CB8FD9BE6B9052445937E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...d..S...........!......................... .....>.........................P......)............................... ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.0613254769522635
                    Encrypted:false
                    SSDEEP:192:VZYCA9GnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArgXPCD:zY5GnYPLxsSJeeMG
                    MD5:C047ADBB883B956495E00D74FFB46485
                    SHA1:EC2EED0866A3D33A66AE26ABB24B914FE5815189
                    SHA-256:AFB9EAC60466FDBE08148AA9D548B5A7D2E91CF2A9B8350616EB5ACABD5D3933
                    SHA-512:74DD2563348B25938D79E3F1D2E4AE63CC2E3731B2FAC27D85F25236BBB38EDF1535A34A21B06167E0939D4CC852EAEC4F0AFABD0FA7EC93F6554C3D1921EE71
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...t..S...........!......................... .....>.........................P......l............................... ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.057817163595025
                    Encrypted:false
                    SSDEEP:192:ERZYCA9FnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArkvCX:E/Y5FnYPLxsSJeeMeX
                    MD5:01721BD08F06DC8631F2A412A55FA539
                    SHA1:A12840E4D5B624F0B2E1E1CC3D57884911EB62FB
                    SHA-256:5F9520C642605AD8477019CEAD8236D94EE14AEFDDB7B223AF76DF6E03931614
                    SHA-512:A7A4980F884E04572359E5ABE0E360E52B8EB37B8E8A08345C84E473172AD9CA3B411B6AC01355EF6D1838C96B869CE05824A228EE6E16976681BB19A752D695
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...j..S...........!......................... ....D>.........................P.......].............................. ..O............0..@...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.052208677730489
                    Encrypted:false
                    SSDEEP:192:adZYCA9ScnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr83i6I62Fjue:abY55nYPLxsSJeeMsx6Yd
                    MD5:9CDA138388FAB18AEF079DAE33B26838
                    SHA1:84037BB0491E60946A9EAA3E1B8C5E3DB53AE124
                    SHA-256:8B85F4AF09B9AFF14A747C1CE74C5D7CE8F83A828AE4578C0EFC4DB28791B657
                    SHA-512:61536F6D6230E71F078EB5933DBF640371AAACD28315F9119F1EE1550F4F0FFA7C5C9B3E1B5B8A5C565CBE1A79FDE75113E512539847B82384C5ED750706A924
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...z..S...........!......................... ....%?.........................P...................................... ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.027711075816468
                    Encrypted:false
                    SSDEEP:192:k2ZYCA9EnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArDOAMB44:k+Y5EnYPLxsSJeeM7B9
                    MD5:EFC1903DFE8F43D9307864A50FD2C41C
                    SHA1:66EA4E665309EA23F7F7A7CA90412F6BD15A5E93
                    SHA-256:09EE8CBBE660C2669A43695C03017194DA5DB46176C5E916562E238D25C012D5
                    SHA-512:2E7116FB24E97BDBD718D9A28860C5C1C47A139C6CDBC305A727681671290313481810CC524D6B32457C23F8C4F1509A7729F28D838757E08C77C2028FE91911
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...p..S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.042207578667848
                    Encrypted:false
                    SSDEEP:192:w14qZYCA9inYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAryUyRYGhCz:+4CY5inYPLxsSJeeMzCz
                    MD5:EA4860E4B04C5E0D3779C4DD504681B9
                    SHA1:418C753641AB0B0D1A50EB0EB2D6AC2D08AC31F3
                    SHA-256:4A4EBCF404F5F5A764C135529D4EB1B99AFF33AA4C02BC9FD95421F9314EF061
                    SHA-512:827105EC07B3861424128E7F1649330BF0B49B32479FF4CF1A2264199A9CF19D5734807DD2194D4B9C375DF5B8D81FDD6351D037CE513F8629140630888478DF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......w.............................. ..O............0..|...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.058519133795715
                    Encrypted:false
                    SSDEEP:192:hWZYCA9YnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArqufHE:heY5YnYPLxsSJeeM0s
                    MD5:D519571719484C18A7AFB6E1F5246271
                    SHA1:FD3CD204AF32E01BE7F606BCB18EB5F55A963D12
                    SHA-256:7E2700383FE6AA39FCE3E9AAA433916A7B6AB1D236C019617181BEE116D76336
                    SHA-512:5639F65E14CC8B99CC90CA10A906D8A648E0C5E6919FC97E50CBE758B079851BEC70BC6BE5A713053C2D133D60259453DD1BFBDAE3F87FD03A5BB24E088DF9EC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..O............0..L...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...L....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35dtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.06216082572488
                    Encrypted:false
                    SSDEEP:192:BZYCA9PnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArxyhEO:PY5PnYPLxsSJeeM9EO
                    MD5:556654AF9EE634E580A0E72CDBF4918F
                    SHA1:18D8F82398B373BA6961B6F9348A70F859C74EA5
                    SHA-256:4CE4F22375F2C4FDDE484AECF79A1C9E7842BAD804F28B0CB5C2EDC7EB9E9FA8
                    SHA-512:78C261DEDE450345CFA37523BC409BDDC2AC7AECA16165B402BCEC2AFEECAFCC3B96797BB0CEB1E8EEA7FB9049DAF54FC870F8AFEDF17E02BCEE1C48054A46E0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....2H.........................P......Qm.............................. ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.030082719737478
                    Encrypted:false
                    SSDEEP:192:2F5f9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArSdzd/hyQJ:2F51nYPLxsSJeeMZdBJ
                    MD5:3FB2EBDA96B66DD86FD750892AE7542B
                    SHA1:FC702940DF0FBD3324B24E042F793744905DC0B2
                    SHA-256:2468D1D011D6DA6FA4519C20E852E8C1177C0A1AA08A87255FCD81330861B18B
                    SHA-512:60C6C891EFD637DD341D8AB2B74F752989A68578CD15E74625ADEA380C13ECD092814BA4D097C58EC50CD2B39C3D905130512EE3FA76889364B65C5E99F8134D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......{.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.03833242029108
                    Encrypted:false
                    SSDEEP:192:E5f1nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArrVq3lT:E5tnYPLxsSJeeM33lT
                    MD5:2BBC6DF5A91F4478132D065087742A37
                    SHA1:E468146D01301BC596C0F6A6B16968F54D423E93
                    SHA-256:8877E264089238B34882B4DC7D487BD23DB7647A98E44CFBF9326962CABC2E59
                    SHA-512:8D4C42AEE5A9361049B22CE7E904FDD05C9F8D2E5D56545EEABE1B8A7F2C8AF057D7601CD6268D4E6432B64AE2F1F71B699265E7F3CCC1A03E9A2AC3BF3869CC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....OC.........................P......;............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.03739940995637
                    Encrypted:false
                    SSDEEP:192:ifdX5fIYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArh0cE:+5gYnYPLxsSJeeM/
                    MD5:0248A147DB38FC19C24592757AD27837
                    SHA1:B044C7E99AD7FE1C168CFD1F2082F9E445D95128
                    SHA-256:6CC78B241C8B75911B23885B45A25FCCAE22A0FEC53FD35F14E53BBF3EA9B448
                    SHA-512:B901F798A458908260978A7A7147AAB256DA5563EF5F3726C086CBE7B270AD0030A32EF955692A16243788D32D9C3B3A6B2C5B07E5A0F7DDD4619AE5F2B024D2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....*D.........................P.......q.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.023711954913045
                    Encrypted:false
                    SSDEEP:192:85flnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr/zgFwV:859nYPLxsSJeeMuywV
                    MD5:BBD0E1BDEE07F4DD831D8F6B2D6F993A
                    SHA1:39E41AE0321735DD12A568CAB367C691F3BC454F
                    SHA-256:C08D477E92CC927D2A1B66535CB8864550299BEC2612F42D70CF81E166B521FF
                    SHA-512:59C7695382B77E49C297B8B57C6F79F06C0D56DF9BE6616C41204B7888505143BD9BCBA1E66B4BDA016009378A81F0EF3A66BFEE4F77ECE5F01800F64D1D79D0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....,E.........................P......~............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.052538310108726
                    Encrypted:false
                    SSDEEP:192:Z8aH/5fRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArp8Lb3T:Z8aH/5JnYPLxsSJeeMC8PT
                    MD5:590ECCC5348FC69329E2063D5B5F0AEA
                    SHA1:88AF5CEE6F8732509A70C8B739D85310A1CFFE90
                    SHA-256:3133E67C762EA8CAA8B2B8E22B7AF3EF75E9BB015A0A81D5ED264252C2D6615A
                    SHA-512:84BE80477020EACDF71E683E94020A69066905DD6121BC707EEBF429244ACDC32B277238732304C77AFB766D0F1B701DBF840E268703A02100D2612A3CEC5DCF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.033552199236734
                    Encrypted:false
                    SSDEEP:192:3IYoL5f0nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArl7ue:3IYoL5cnYPLxsSJeeMne
                    MD5:15538CD9BDDD829BDC4DE2F8856F52A5
                    SHA1:730E5924B453A183DC77C28FAC33EA1BBD899150
                    SHA-256:D800F7E566C6F1A9FDA6A152D5F40CA7D468C758D28BCA1336AB99EDB494ACF6
                    SHA-512:4BB73CFEDD732B5B83EC15C2D5F4AA759325E833CABEC62DDDDA19B58603B9862C029D8FEBEACA00420C7134CBD38813A523BFA5B8CEA2A29B6D3CC8C570707C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...`.S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.04165088391042
                    Encrypted:false
                    SSDEEP:192:EjcN5fEgnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr6dcG:EjcN5fnYPLxsSJeeMwG
                    MD5:38D7E1FFF63A1F0448A7DA2FDA8B9494
                    SHA1:7ADF2EF2AA829C704C2F5D2D3DEC1D874A36D525
                    SHA-256:214EAD77F6498ABE82B69145EC29979112582BCE6134F2097E0C5458CFB6A7A1
                    SHA-512:B52716C02D58BE0361564A8D1CF95E664D34D810CD392623AB5F0F5B012D174811B7F54697ED695A80DB78487A58B5A2311050B38A6AD71FD809DBEE0A71E8EF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...S.S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u35s1sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.03476301482131
                    Encrypted:false
                    SSDEEP:192:U5fnnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArhNF4K:U5vnYPLxsSJeeM6Nj
                    MD5:C3E29E7733D9E56F1AD49257CB53767F
                    SHA1:00CB602DADD0CD40BE286A93A5DB778713837D30
                    SHA-256:A64759AA3EB6DA23D6DBF099BE17E048BF85897AC08A09B738991FC757435FA5
                    SHA-512:A44F1BC7FDDE070131BBEE2DF6D804760B4E8072F726D68D1EC5319F26974B0D9F8BF5FBFDA9724AB5DE0045C9F5E6C1A567F4566C394E66B028398296B55FCF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...=.S...........!......................... ....AH.........................P......e............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20da.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.019423409028285
                    Encrypted:false
                    SSDEEP:192:2eclNDZRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAraKW:2ecHDZRnYPLxsSJeeMgW
                    MD5:8B3E0EB4C6AE7226C90BE2DDCA34BD32
                    SHA1:B5377925C98E942F895B8FEA3793F9BA8F1CD2E2
                    SHA-256:7757910469F6ADC76B555B09C594AE8A2996D8D931B55971EB1401CBC46C5AC8
                    SHA-512:20F2BB7583789D53C212D65513A7F06156D21F787B7AD1ED6B21C3F2DAF3A63F52BEFCC8B9AF5CF6EB52436312520F631EEA0D6385FEEE18F1EC4CC640A367F4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.024774174502079
                    Encrypted:false
                    SSDEEP:192:HBDZunYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArEKXX:hDZunYPLxsSJeeMkX
                    MD5:5F75608EF4BFEEA196396AE098D6AECD
                    SHA1:D09E71A06EBB070B4BE79CC5C4EC77D5BB8D4986
                    SHA-256:DE523EA98B01AEB84E85513304926A312CCDA3D56F8FF73DB0E3F51B3AC3EED5
                    SHA-512:4DED0EF7F21FAB336A747BFB598F746C24131AA6616AA4A0A68187BE63F77D428FAC935B238306D979B3CC7BF843BF768630FFEADDDDC2E17E8FE1D951A5892D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...q..S...........!......................... ....mA.........................P......(............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20es.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.010666003927178
                    Encrypted:false
                    SSDEEP:192:ZDZynYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAry73IoL:ZDZynYPLxsSJeeMjjI+
                    MD5:5B0DCC63B983E0BF91BF9121BE354F5C
                    SHA1:992D8B54A799682053DD04EF6AFE06B437E5BCD7
                    SHA-256:274E97BEA7C82BBF0A821D62BFAE339A92E8C55343B0B36A357B42A0BE83F8E7
                    SHA-512:11F814EAE176B7A64A0C1DEDF4D3C9821EEC44AF0E55CDC2D7373F8D09D62E001CF3FE304DB3A669384A610CD3DA4337956A58919CC7F14BDF6A8A24D49A08C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....yA.........................P.......Y.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):5.993586947887268
                    Encrypted:false
                    SSDEEP:192:J8XDZGnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArDCm:aDZGnYPLxsSJeeMk
                    MD5:57BDE73F1C6119E5F5E5110713505198
                    SHA1:A4480C2727FA02BE07AAA09774D7A67C7B728481
                    SHA-256:AFC4605E31DFC9129B7052D837FBB53CB0A4A077FC1178EBCA40DD005A385522
                    SHA-512:666DA24BB397481045E0BD0FA240C8EF5B6D01DFCFFF15546FF217ABA5A383BA28761AEC0D13AD56D9E9CC367392D8F17D0E2C9BC85EA689E656ACBE9DA4C92B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....:B.........................P......xs.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20it.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.00342145000483
                    Encrypted:false
                    SSDEEP:192:BtcDZ5nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr6fUL:BtcDZ5nYPLxsSJeeMD+
                    MD5:DECA2F3B75913A81934B900FAF5FE944
                    SHA1:CBD9FB3E4B7D6DE8D66621874D5E52E7229131DD
                    SHA-256:A2F06B048588CABCC431591BF4BA13C2B53BBAC08CEF5C1F3836449902238C4E
                    SHA-512:A5498B454E33FE482AD1712B53DE9E73128850858169854D993F2C56049C2B2A49C5E3B2536448592705D6C849F2F927B2FF5FBEF64E8DECFB37BBA707DD6A71
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....vD.........................P.......<.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.102737530213475
                    Encrypted:false
                    SSDEEP:192:dL7HDZOnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArzuxfV:Z7DZOnYPLxsSJeeM1V
                    MD5:D7A86FA9B60F3B6C9EFD36EC4CF7C346
                    SHA1:D5AC60EF81EE2814E1A44150835958427AD94CA0
                    SHA-256:88A912174BE231AE45FFE82A5DDDD23E4A45699273A2107F87C45DA33DE8ED6F
                    SHA-512:B31FCCE18B54AC463FEA1249845883F32823B34865CBE0C258F810530E807A323002B89A4A3B25B0AE22E5B1B43A6113ABD06EAEE1A14CC6E955FF2754C4330F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20pl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.013135608215884
                    Encrypted:false
                    SSDEEP:192:VDZ5enYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArdVkExYx:VDZknYPLxsSJeeMQVSx
                    MD5:065AA34ACF1A326C1D8B795E7D112B19
                    SHA1:BBAFB8358AACD180BFE524295A7B4B7ED86C17A7
                    SHA-256:2ECDA66A3A69A3DBB00048495DCDE3EF2579EFE4D2BD589999FEE453E07B9A9E
                    SHA-512:327FE28375B9656D34356F333CF638D394A206A5E02DB6D3A1F5AF90870FB3DB2F0168C9EC56A4F4072BE70BCBEEC3E6405F5B736F25ADD11CD56ABD75423973
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...{..S...........!......................... ....@..........................P.......!.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3l20sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.0118185745166794
                    Encrypted:false
                    SSDEEP:192:g+BTDZ3nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArcLEel7:g6DZ3nYPLxsSJeeM3p
                    MD5:0E4E8ECFB9A593CA6495C3DA77E7E14B
                    SHA1:D3E3D7ECF3BC1C9B041DCA588E27F280D4D166E7
                    SHA-256:8517DFE2FFEE3F6CD61491D0A4982DD0513D80CF0EE33C71E65B2D5B787EDD62
                    SHA-512:0EA8E6629512535FC797EBC4B2BB03B8A9D9FF7FD11C911E651B728B96ADCEEE68EEF7C3BB7484EE522F20963126A5BE0C1B1498195A207344D2EE676A7EB236
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...3..S...........!......................... .....I.........................P......G............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.0329345621361625
                    Encrypted:false
                    SSDEEP:192:kYCb7nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArmfY:kY0nYPLxsSJeeMxY
                    MD5:C0B46B895419991639C1F0A3EAF7590E
                    SHA1:F1F9476CE50C63B35C0E7142EF72BFAFFD31185A
                    SHA-256:99127DF9545A24B966E1C5DFDBF93A7DBB83FE45AD553ABA91919D704C627D3A
                    SHA-512:F62407573DEA4214724B5CB249176E4CFDFBE70AFD07B6F40A49FB0A19525C0ABA47B2152BAA0042AC8445171B8EE0F744B7DDCF6467E9CD332797A1BF495C5F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldten.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.035816101119246
                    Encrypted:false
                    SSDEEP:192:EYCbmnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArROTu+a0:EYlnYPLxsSJeeMi6H
                    MD5:0FE23CA85E22B4C12EBF6FD6B16355A0
                    SHA1:F84B6091E6F7794747C9FAEAA12DBCDDF5DDC8DE
                    SHA-256:2CFC5B3D5153FDE03FE81EFA0A8E40E881671502286C99E94F7C2FF86671A7B0
                    SHA-512:F6D5E63578FC2A49EBA229A975D2179B1CE62BA2D8DCB2627B767C5D395EFFCF19C8271336CC5DD4DBB2A0E0F8A4342B0F7B60F378C6D7EAFB72A26CF85F0D50
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....D.........................P.......s.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.030221682732714
                    Encrypted:false
                    SSDEEP:192:vYCb+KnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr7jMsW:vYKnYPLxsSJeeM8+
                    MD5:45D1FADDB5AD57643E02A50788BBAD63
                    SHA1:A8341C5D9719B89DB3123A43E7ECED3E773482B9
                    SHA-256:D69C1F0E6334ABA300D65F0F28A645E28479D55211BED58035E8BA85F972E535
                    SHA-512:E8147FAD9F39C6ADB8150819991B48C9648C97BE62492E701A69EAD6325C79892B746554283AEED6BF50459DA05987B29B2188C89BD30F3264A833603436CBE3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?.S...........!......................... .....D.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.03588152875549
                    Encrypted:false
                    SSDEEP:192:NYCbenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArL2SID1n:NYpnYPLxsSJeeMqSDp
                    MD5:FFF8323477C873F2C6711D2F20229211
                    SHA1:3102FEB81BAAB1EC253A97D3218444D6E2946911
                    SHA-256:27093B9C1E7FE83FF9F972B2A110FACE41E728E4BC5C109F56C3DBCAFD8BBFC9
                    SHA-512:C7B3C445C9B73CEB953DF38F33A03D51F3DE78C47C7146F34348F7A37AAE6C21E3E268A7106C5CF0870D2F887454E17371D198A4B159993CEF187B4F1C4F9B97
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....D.........................P.......6.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.039325253575186
                    Encrypted:false
                    SSDEEP:192:VYCbtnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArrKI9G:VYmnYPLxsSJeeMT
                    MD5:172AE67AF041E974FAF0C5458465A011
                    SHA1:3B4852428C892D325B25AF79855D35CD06D12EEF
                    SHA-256:80D8FD85E7DC567393C8D35B37F99025B4FC117CE8005F12932DC9A1367FADC5
                    SHA-512:BCEF597757A8DFE05F9BFC048B819575030EC5183E785BE1E244AE3A4D5CF461FB72AD151618B9A899ABDEF61C3A8ECFDF20A9AA42ADF2A3B5FBE2F56ED50817
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...\.S...........!......................... .....9.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.062503385932077
                    Encrypted:false
                    SSDEEP:192:FYCbQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr/Xt:FYPnYPLxsSJeeMS
                    MD5:40DECD6648AA8B70C6A5040A1947A624
                    SHA1:AB136BFB832C6FC718B15F68DBF57FA5782C69E4
                    SHA-256:B2C3201811825EE20DDDA93FA32D6E9173C44BC8C664012EECD171F38E912262
                    SHA-512:5213740AC7421379ADB36A94DD11BC3CC104727F47CC44A6E50C72FB7E26ECD29452601399264932B81F62510C47BEF2B0DC2FF84E0FD301E8C578CAFA51A071
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...4.S...........!......................... ....@..........................P.......H.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.038630152582444
                    Encrypted:false
                    SSDEEP:192:PyfYCbOnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArvb:qfYhnYPLxsSJeeMc
                    MD5:52DE50E902528B2DCBCA8B942E8BE128
                    SHA1:2C06384B0BB4CD24BFFA121F48FD186C8267114B
                    SHA-256:44B0E0706C444124842B4966D2429B6AA4CFF1A139D5891151887BAAA6267BC0
                    SHA-512:A802B60FEBD1EEA5F0365D972EA82FA8562125B3061954541F13920FC42C247D96CB9EF4617533FDE1260E6079A31359362BAB212DB7AC9D6DBABE44A8D1833B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......e............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3ldtsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.0377309011371265
                    Encrypted:false
                    SSDEEP:192:lYCbRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArgpZEk:lYCnYPLxsSJeeMD
                    MD5:2547A0E79ABE24CB547018A8DA519A52
                    SHA1:9B00AA85D8C48802B4B547BE6A7BCA5AF4F5461B
                    SHA-256:C970F21D75845CCB94A326BF4891B3F20D784B13FDF1D0676DD3386956F1B38B
                    SHA-512:577B50499E08F0EF0BCA2ACFBED4CC9A3BB9C85B30D200A026D6DB6817D00DDA1D527DBC3BAA7527318013C3FE48CBAE82F1FCBAF9D41629AB36870BA3DA55EB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....G.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.723964684916261
                    Encrypted:false
                    SSDEEP:192:hzvovxUElnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArmBHxj:hzvoJJnYPLxsSJeeM/xj
                    MD5:59ED5807553C16A53404452DE55C5692
                    SHA1:11DD8E984426BC6DC21DC4E21EA71A9F29834C51
                    SHA-256:4E404CB7B1283D3FC55CB24A58127E7A68C797C4CABDFCE46AEDE0062851661D
                    SHA-512:4B39DF29C0FD21B413E18B1F60D1BF58AB865486B184F713DCA5FEA2DF49AE30AB25686E364FE3D46BDB9EF479FC73A53A4A92601F0E02452F81EE176D14D3E1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......N............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfren.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.7410738983540455
                    Encrypted:false
                    SSDEEP:192:T2z3XvxUEknYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArYCj:T2z3XJgnYPLxsSJeeM4
                    MD5:922B2A2FB75BDA5A17F11409F4DAFA66
                    SHA1:DE1D8DCCAF21012A6F47151821674B708DB8BE95
                    SHA-256:3B65336CCF3A3BB93327B29CFBB721DB787B57C2BEECDB21AFC4BD91C5433B29
                    SHA-512:BFA66918FF7F4857754E92D70A1024073EB17DE00A8C41D4151034F8B90581D2D66599919A71EC1A54D726BC2F489B1CAC311E3FF0B28F5C21EEA8E06CE86C6A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...M.S...........!......................... ....^:.........................P...................................... ..O............0..P...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfres.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.710886255622379
                    Encrypted:false
                    SSDEEP:192:GWvxUExnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArfaoS8N:5J1nYPLxsSJeeMs
                    MD5:0C8226C781075BB807049351A08DBBC0
                    SHA1:5FAE60CBC4E37E266374D3B2C1701019C53F55C7
                    SHA-256:8C7E20AC08D8879663E1D97BACDE43B9A11313507D5BE0D1C2BE8DE3FE1AACFC
                    SHA-512:52E9877A5149FB39BF3DE5C7282F1762081E94AD8B7FFBDD9A13632DCDBD3BA14C4437BC3C9A3DAEDB94D0753F47728CF190CF179DC941AEE6BCD8EBB3AF4177
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...o.S...........!......................... ....{:.........................`..................................... ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.746654059163378
                    Encrypted:false
                    SSDEEP:192:Ry8vxUEKnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArHN5Pt:RXJmnYPLxsSJeeMG
                    MD5:A871CA9F64E84DAF58206424CDBA5F39
                    SHA1:319EE5A2B34A544E7F4B61FE9AC3BE423EBC0818
                    SHA-256:EA1A9B3C8AA39B37A0155B31779D22DB915EF166546A9291C0ADCC3F510982C0
                    SHA-512:EBD5166D6A476053632FA2626D205C2B98C0B49224F6170D6205B7FFAF281F5566376E883042BD3CFE6CD421F743EC78E1A9A7C639CB91146564C48578A36178
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...W.S...........!......................... .....;.........................`...................................... ..O............0..l...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.747764904832422
                    Encrypted:false
                    SSDEEP:192:peJ7vxUEknYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArgtDT:EJ7JInYPLxsSJeeMb/
                    MD5:86C366437726A048BDDC49F938DD245B
                    SHA1:91A3437D8E77EE1A1E1E932CB5B0EA99F8291493
                    SHA-256:F34F73BA3E881267F57500739751498F0F520F8367D466992B6251388953725E
                    SHA-512:13E2FE13444089EA12923E8518433ABEBB69E7DE654A4D9CF5DFC489FEA5204D5F5536F4C4E99D7ECDE0CDEA305C22F899FFA12CCF991E9BD7D2FA99B0AD0574
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....;.........................`.......%.............................. ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):6.039658636342097
                    Encrypted:false
                    SSDEEP:192:fOhVxEvxUEQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArbNNtG:2faJEnYPLxsSJeeMOs
                    MD5:E29EEF5AF3151712FA0C640EC9FBDEE2
                    SHA1:9527AA14C02D76C33E857932E31077DB248A0FC1
                    SHA-256:703EB544D20CD51592727752ACBE70CB03416593FB452F4B9CA5B8B734C9ABE8
                    SHA-512:3951799893F0BCFF5A831F145EB2144CD255E2606E0453F23FD9C27B4EA517EB520015E98292C2BE0070CBDB03C686702C6BBD29B2E04E6ED19029E36E54ED06
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...h.S...........!......................... ....@..........................P...................................... ..O............0..0...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.792417430987402
                    Encrypted:false
                    SSDEEP:192:KEGFpdY5vxUEKYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArmjEo:KEGFpyJBnYPLxsSJeeMh
                    MD5:988D744F66C44E8D5EBEC3B4EDF2827B
                    SHA1:6BB90CB6C37ADF426F84CCDA809B8604222A43FF
                    SHA-256:8B705B44D44EF5AA020AAF59C2FBF37381F8874958A75493357D03FE74B729E8
                    SHA-512:A66B1ABB9A5A8DB75829887E81D0A91AA26B25F0723434C3DD8C0D5E1CDDFC7DD9FAF635B260E9A9F50A8C19E9522FBC571C77E29259D5BD4E3CB76823DB5DE5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`.......T.............................. ..O............0..,...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\u3lfrsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.749916642362393
                    Encrypted:false
                    SSDEEP:192:nCX6PUwP6KvxUE2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr3CYZ:nCXIBPrJqnYPLxsSJeeMvO
                    MD5:4822BE0D50FCAB28903F13AE66C1DC97
                    SHA1:276FB93BF9ADDB3D6638DCC7BD79FE7F03C6AAD8
                    SHA-256:BC02180C8D5D3344BDF8B4F5236E8AD89B4DA0E1298D96FDE0AE6BF3DE828B53
                    SHA-512:04AFD4B57FDFB7A66E2FCC4D23CFADB428A72567C2180A9BD20CED4F225FD4BE65C0643396F96A054BCD91FD614F2ABB68EE8F4D6E902150A86937DBBAAA8DCB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....IH.........................`.......<.............................. ..O............0..D...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...D....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\usp10.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):364032
                    Entropy (8bit):6.270328857116929
                    Encrypted:false
                    SSDEEP:6144:/D1nBmd+DfHIG+JKotBZ/TS8ytG5dHL+:/vVfb+b
                    MD5:9870191D0F26BDAAF6D4550EEE3A96EC
                    SHA1:A04384BA4D79B20E23E7BB929340D161026FD4F1
                    SHA-256:AA38D389C448BD726D9E6A19046BCB447FA0A9FA696FD8B163D190C3A943A177
                    SHA-512:5D726305E1977E50B80B439B7E2A3CA8EE72E4B29843B68FC1DEBC437BF7C42FCCB25EDC4DA743A539B67E9F2B295C4F1C6ADAF6E2F262E9E1FA204CE4E66E04
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................................Rich............PE..L....wCB...........!..............................Iu............................................................................x....... .......................................................................|....................................text............................... ..`.data...8........>..................@...Shared...............>..............@..@.rsrc... ............\..............@..@.reloc...............x..............@..B^xCB8....wCBC....wCBP....wCBZ....wCBe....wCBo...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.USER32.dll.GDI32.dll.ADVAPI32.dll.....................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.010678646272346
                    Encrypted:false
                    SSDEEP:192:fCIDKpY1nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArOi+GF:fCID6KnYPLxsSJeeM1GF
                    MD5:93F161FE066F535527634925EA19A213
                    SHA1:9654BF21874F12E02A5390188D5DBEFBF59A81DD
                    SHA-256:61172DBB69FDE5E01E154CF0131A2BB71824AB7CBA368AABC5CBABE87495D460
                    SHA-512:D0F5F733A77EAD36DEF2B78A0921C4041F1D8E49731E3DEB0A87B6C43737F58080BEFBBB6D43CF0296904230451DDEF6023C2788F315D73D9C46C535B1037240
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...T..S...........!......................... ....@..........................P......GM.............................. ..O............0..(...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkde.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.965455209965011
                    Encrypted:false
                    SSDEEP:192:DBujKpYFnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArUFtnJ8W:DBQ6mnYPLxsSJeeMpHnJ8W
                    MD5:2844B682755FB038FF120DF8A8E3A13B
                    SHA1:E5235AA7C842A85067094B9E02D89D81C798A9E4
                    SHA-256:752E5F6AE975828F1B30A07D3E20EF53F9FA4F036BDCEAC3E25E5EB26C08D439
                    SHA-512:1FEC21DCD2F1557449AF931747668B131B741BAD0C54EE0F0DABE99ABB2A9129D7D1EF67E8FAA65BDFA3137F97852683BDAADD51C67DD0A7DD786068F1BCCA3D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...b..S...........!......................... .....=.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.99427675044777
                    Encrypted:false
                    SSDEEP:192:LKpYNnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAryoqXL:L6mnYPLxsSJeeMxocL
                    MD5:4582F88B0F08F9B8DC173C49C2CAAD89
                    SHA1:4ABF7C7B8C931BC7C390F3A6216604F0523FFED9
                    SHA-256:605BCB82A6BE701E231B2EC40E95D72B1582C724D05E0D559D221CF59FDA6CCD
                    SHA-512:D58150C38D235E7FB0951FCD47DE2BA5D9F81A646B023319F6AB44F98D2B0A7456A2773E2B225BB346A25249F6765628199B25FE34665BB500FFBBE20DF5FA06
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....J>.........................P...................................... ..O............0..d...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...d....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.010508198117088
                    Encrypted:false
                    SSDEEP:192:Bn/KpYhnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArnor0w4W:J6WnYPLxsSJeeMX0s
                    MD5:C51634AF3A39E4A7FC00C05B423D9D08
                    SHA1:A14825B4E4B0649027346A574BEAA0F9FD0BD7DA
                    SHA-256:495A029653E2AEC14709539EA33FFE37E54B3C2FEB98A07BA7851D2224A0E78E
                    SHA-512:2DCCE2237AA57586DB673B833A8E38E31BDC9E2478534C03D5EC6D322029C77ECC5C574BD58E479A6FB3C849AC0E7C9FAB8BA6D89CB064B7A18EB9F105706CC1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...G..S...........!......................... ....@..........................P......k............................... ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddkfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):5.992572032510404
                    Encrypted:false
                    SSDEEP:192:cJ6MKpYCnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr9s+twyWC:U6xnYPLxsSJeeMqsUVB
                    MD5:6E7A404F614EBBD9DF61488C62783130
                    SHA1:66AEBFD961E67E933934E0D67AF37A7B6348DBCD
                    SHA-256:387D6C02C0177388E57D5D174E25F0F44E3FA7078A77ACDF89CED8171547ED20
                    SHA-512:70FC2D9E514CDAD1CDB09718D9B29B89F86830D5DDB0FFA012A589C5559F435D88AA616412AB91CD84A20AF5A6C029927BF96CAB5A4E8FA8A4C2D5075E96ADA5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...K..S...........!......................... .....>.........................P......l............................... ..O............0..t...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...t....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ddknb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11128
                    Entropy (8bit):6.011075014612237
                    Encrypted:false
                    SSDEEP:192:woZ4VHsKpYznYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArhf2weki:woZ4VHs6QnYPLxsSJeeME2wG
                    MD5:EA052A7E0E81FE627117CA022F5C8EDF
                    SHA1:D2CD15FC82661737A8865A83EF72639C7FD2BF1B
                    SHA-256:94D8D10A9812FDE2B506FF732A8026AD67678B3DE491A181030F7B912E083AAE
                    SHA-512:D21F5AFCD2B26C70967EE343EE80F6DFE32D561378853301253A5FBF9FE040DE8B33E395B94C7FB43EC47C5F6CFB34D0F90E1B2E5BE918E8181A7EE9A9C8182F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?..S...........!......................... ....@..........................P.......?.............................. ..O............0..@...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.836030271374374
                    Encrypted:false
                    SSDEEP:192:thuobD0q4ZnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArkpeX:thuobQqOnYPLxsSJeeMCX
                    MD5:5C2D37E6DE424BC559B2D82F973A18FE
                    SHA1:046E8FAC511B06E25A7E4AC62B7BE6C752958F8E
                    SHA-256:F7085EBF9BF48D1D846EB3A21042929CFA0FB3C1D7D3D53E9B320285F2B75221
                    SHA-512:A60BF325E6BD48C500C5B598D5F6FAA9E08227D0963F1753D8423833E3580BE47EA6E0288738CEE26D42999AFC898AB32060D4F0F89266EAE7F1430FFBCA0CD6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...f..S...........!......................... ...._@.........................P......v............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.998273520190747
                    Encrypted:false
                    SSDEEP:192:GhuogT5+q4FnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArsAqjPg:Ghuo7qqnYPLxsSJeeMwH
                    MD5:46815893EB9A5ACD8EC6B2E9CD657031
                    SHA1:CCE7862789E6F5B26440E7B8766A29B746666084
                    SHA-256:D4F52F880BD59E5D8567969BC6B77D82FFE2D49807A2BDF9229EA02040EEC8B3
                    SHA-512:7254EFC274DD18A19E955E91C1685023EF09E8C6B8E294230CC70B44C9B7032E2364828D56485578980DC5D4C06C512B433B23CD066D83B28B02531F1F49FB52
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...n..S...........!......................... ....@..........................P.......l.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):6.0212221542210465
                    Encrypted:false
                    SSDEEP:192:CJhuo2F+q4PnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArfC5+R:ehuo2F+qcnYPLxsSJeeMOCYR
                    MD5:C259642CB2ABB0AF934B32E80E961EE2
                    SHA1:2CF87035A63ACC34FC8E35A5B514A178B3FF5036
                    SHA-256:FB864AEBC31CB1594F7694D4221E6D9A4778B9DCC3E91DD178867126815C32AE
                    SHA-512:57EC851FFA386FDF044A01F1C71A8B4E76DD0E50AFF2B6B0F8829D82A8780EEA1B047CDE66DFD250A7F5841B6C45A3613E068152C855CF86C73283A11D7F249E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....jD.........................P.......+.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmppl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.88295138983987
                    Encrypted:false
                    SSDEEP:192:3huoSV1rKcP6q4mAInYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArY0Fkv:3huoSfFSqYInYPLxsSJeeM7v
                    MD5:E2FEB54B1B43AD673F7C0775DB328BEC
                    SHA1:6058AE357FA18F2A79B38B32FCA442018C19A3FA
                    SHA-256:EA5DA832DC917B70F23C5D48AE257E2671CEEF1AE7209B270EDEDF31386E5023
                    SHA-512:1429E60CE667E501EA8ADDEB59A2FCB870AC6424C47CA225D2BAE3BEECC05D332C69F43D1EAA4B3BC1B97A1D8AE0ACB21611CA72F04BC39BDD1147306EDCEC2D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..O............0..$...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmppt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.814874248937867
                    Encrypted:false
                    SSDEEP:192:EhuobONlBq4TnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArzxaRx:EhuoUq0nYPLxsSJeeMIex
                    MD5:0AC205B6A5D62B98928BC0931F0DECBE
                    SHA1:DA719591A98032C35C5D4E61BDBD30B0BB0522CD
                    SHA-256:321FA8CB9E112E6C8CB34329DCE90E037E2C3EA802B9F419EA2546CFAEECC951
                    SHA-512:FE29F4A582C1D980D29F94C6CAE992D1F373DA78B3BA06C498B10C556A27F2C6B7E37A4AEC8E0CBC527F913DBCF61EAB28D592D61F01351DA98C1CA0378482D4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....H.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.931762641151245
                    Encrypted:false
                    SSDEEP:192:DhuoTRq4TnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArlM07:DhuoTRqInYPLxsSJeeMN0
                    MD5:EA3E57595D3C9F372E692B49593686E4
                    SHA1:9BC1372C3DF0B2272D8D81368BE5F0B9F83ED9E5
                    SHA-256:8CBECC3866B15AF5F540CAA4BBA23603CF78DCD7CF660926210F3D54C6BE5757
                    SHA-512:EC10D5E514180D20C9CD16464947EACB5056BC72F2A0D93B15BA8508B771357E485DB2694C36763E3B5ADB47BA861B1EBD090D7BA935FCA18639089B4445E422
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dmpzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):5.959361162830506
                    Encrypted:false
                    SSDEEP:192:whuoyRq45nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArVcLR0:whuo0q+nYPLxsSJeeMdN0
                    MD5:E000E379A4E77B26EA546625508EE52B
                    SHA1:7704F9C9599459F51C7891285CA29853661C4D83
                    SHA-256:17610E5724C80DD9FFEF65663E1417453CDCFB0195FA2EC35B67F9C77C9ED432
                    SHA-512:165516824118B9FBD4684BE4CF3FCEB214F382F1299B82AD320305E2FE16D6521F4E28C9C0F799894A339DA62343D26FEAF87B3071BEC622721D2CDCEABC0473
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..R............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntes.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.820907765520525
                    Encrypted:false
                    SSDEEP:192:ZppQE1KwBTUg/bnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr1ipZ:LppUqnYPLxsSJeeMK+Z
                    MD5:79748E11A977413663C378C90CB936CC
                    SHA1:E3723771955BA309DE0C5A91FD625588EA9D5DDD
                    SHA-256:589A5F7397391EF221FEC1B18326C5FCB474CA7FF370CC70D42075C891CBD15F
                    SHA-512:F3A7EF8A5026371C9FDC99D4811E52F5AF7602E3D29D15E43B61511E373D3B08A3FE88C15E1C439F9B73C781C09037A5A4215375BE5EB9215DD86FD37D4DC86C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....I<.........................P......*............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.815075932936775
                    Encrypted:false
                    SSDEEP:192:YbuOvFOBvCfRDTUg/cnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArOq:Ybuz6pURnYPLxsSJeeMM
                    MD5:5BBDD34E304B43A88563230145C9CA3B
                    SHA1:EB13A5589BDABFBB83AEC3C63EBFEE54E1A37952
                    SHA-256:1AADE62BC0C1EFC1AC818EB63639A48CB1A95BD736DD750991B26EA85AD065A9
                    SHA-512:CDBBBB98AECBC344B463CBEB71B01C1F048A70A9EBFFF4643273A7B05935AD2AA22D5F6CF2D177143A4414E9BF017C117553D8DFCC5CF38744440F27A5436641
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....~<.........................P......a............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.788861048875536
                    Encrypted:false
                    SSDEEP:192:FJrMr4TUgvnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArg7zbO:HUqnYPLxsSJeeMNO
                    MD5:4B4E6E925A88E3962B263C5042360699
                    SHA1:936BCDFEE77464F359A55C4173B6F07A9197685E
                    SHA-256:0E1F667EB35472234B1614C3926A2D8D97FB9C857A464BDE6BFCB105028C5643
                    SHA-512:A4A6DCDBD9CF345E6286181597DE4C1C393D76A4FDA10AB3183455D8A835CADCBD66EFB5EB7F369F9C92F1B58C14A7DC12B827EB8D4F3574E7583742856B19A2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...p..S...........!......................... ....@..........................P.......y.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dntzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12160
                    Entropy (8bit):5.961368770233767
                    Encrypted:false
                    SSDEEP:192:ZQ7tcPh8TUg/+nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArjRLxO:ZkUvnYPLxsSJeeMMFO
                    MD5:439C2EF27ADF0CF1FA7951A00EDB77B9
                    SHA1:8E20B255B55E0230E3F4D80F0946B10EB1670B24
                    SHA-256:B04561F13660ADDC1087AE15E5899E4B339EDF3F56AC0CD946E5404D9514AED4
                    SHA-512:A281F73324DC465DC39C5AD99B345223B338CCE6669C952F8F08A09B4D89599CC340BBF030EBC76D69B1F426CD65012D1107FAEA8AA4CF62CC25347809E57DD2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................P...................................... ..R............0..l....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...l....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.647470793871256
                    Encrypted:false
                    SSDEEP:192:B8OmSm69XG8plBb97bAnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArqT/g:ymw8pl99QnYPLxsSJeeMr8
                    MD5:B968F8E937C1CC56306E4E2F4D0DF696
                    SHA1:332141D2812EFC95C1837D251B59B5B93BE2996C
                    SHA-256:A4DC74F9D071FAE754D74143826CC259F650AB1BD3A402AFBC43ADDE64B71B86
                    SHA-512:01EEED265387EE1F467BE7DE8E4458A4601F73206A379122A6B6AAC09B4987FF054996BB6A44D8CA13C02FC1CF9C35880CDC087AD0242979E9D961A4CA23B638
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................`......y............................... ..O............0..,............"..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15736
                    Entropy (8bit):5.632241536162722
                    Encrypted:false
                    SSDEEP:192:YjOmSm690fHBJNyLo+Thk/97bVnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArQk32m:mm0hJkLdA9FnYPLxsSJeeMnk3qJM
                    MD5:8D2839AFA8C8E6973B6DBECF72A3FE62
                    SHA1:9246269A9CC5C7AFAB542B7646682736F1C7D2FC
                    SHA-256:1BDC3349E0C7527838D1A2E187D726F7C3DB70AB99AE941B765D0B09ED2753BC
                    SHA-512:22963F009FA27E6A293AFDD8037CD8E57FCD0A531DB89617608B47AFB77AA1DF19DE025911DF9118B9E696C9FF72A3631C399018408948719B52660763A03DED
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......k............................... ..O............0..8............$..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dpthu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.607949675269382
                    Encrypted:false
                    SSDEEP:384:fmqlVtz69jSVOIdtVls9cnYPLxsSJeeM9MD2Q:7lVtuZSVOIzVlMcs5JGMD2Q
                    MD5:7DB16C547120EAEB4E8239DB4DBB21F4
                    SHA1:260A9ED2B76253316FFC14D8DB7F15FE918D27ED
                    SHA-256:6583BD75755A1FF79BC12FC87120A40825278DD46B70FFDC2ECC30AFA40A471C
                    SHA-512:244B05EFD00D65F5510CBCCEC0447CF5114A179A6EE31B1DE0B6913C54D4F738153AEF34ED0F3BD5B83EC313C476F01AEAC6ECC081138AFA64E868C4388DCFDC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......z............................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15736
                    Entropy (8bit):5.624781282057106
                    Encrypted:false
                    SSDEEP:192:5OmSm69MxIIHAKXF8/oXAQ97bdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr6NYdg:5mFIfJ9NnYPLxsSJeeM/
                    MD5:C8B437C2B5E1A95BFA914DD8D73FB5C2
                    SHA1:0A776CC899995FFDFE9E3AAC0C8DA973884554A5
                    SHA-256:484AFB53D3BD31C2BC0E94382DDB440E5B38085136F79205F776ED78E2B7CDBD
                    SHA-512:BBC351C90ED066CA0EFD0864679F71DA7DB0080579A4CED9ED0E2A2E969FDAABE3F68077303DD828CF12C0B0E0684A0E4E9695A3E85948832FD1503BA30945FB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....0B.........................`......>............................... ..O............0..$............$..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...$....0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.856638833667862
                    Encrypted:false
                    SSDEEP:192:cOmSm69id+7r8Fbzn97bMQnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArbPl+:cmq+v8Fbzn98QnYPLxsSJeeMM+
                    MD5:1FB81684EE9327BAED6C3B15E871BBC7
                    SHA1:88D6E5AE6FA6B5DA625397E07FFFFFE9A31DBF6C
                    SHA-256:BD0C777DAFEDDA78551D546783F6AB351D3E238A98377C7EA89BBC33E76598DC
                    SHA-512:AB70C59D87C30ECA51FB7C6D5F534D430039FC0C12A901A048B26648D8D5C48FD474EA4FC1D07D65B0894BCF47060D78A64372AC696D5E2D5951D1C7F2334151
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................`...................................... ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15736
                    Entropy (8bit):5.627794368341406
                    Encrypted:false
                    SSDEEP:192:cOmSm69CP2sQ0Oa4f48S97bonYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArE4IE:cmO2sQf7S9YnYPLxsSJeeM3tE
                    MD5:26956FF580437DCA6FB90FD9650EC0AC
                    SHA1:F96CDEC512A1C6E1726EAFF50111A3CAFB282BC7
                    SHA-256:265D1153BF6E6787879C7D4959CBB705DCBA18A8F60B04BD3ED8A9A5969F09C8
                    SHA-512:2E3C13707C208C79073D5855136F3D861C443B2D1CBE46F8A7C2C200555128C14F6A646350B6F5C14A78AF5C83A161B83418BCE341D6AE8C7BF7E5F56052CD4A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`.......R.............................. ..O............0...............$..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15736
                    Entropy (8bit):5.622717658584124
                    Encrypted:false
                    SSDEEP:192:VOmSm69+Wh/r7T+Ph2497bDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArRR:VmkWh7T+PQ49znYPLxsSJeeMM
                    MD5:CEDC11C7B4BEF88ED541460082568D66
                    SHA1:B3C32F0E60FA74611068AFAD01B43BE7532218B7
                    SHA-256:A5E73B7419AF23A8FC71E414E79D9B6EEC8BB646260DD3F993ACC1B5FB68DB99
                    SHA-512:72DA0097EC6C2F79F86FDC60B010E90EE6E6F0BE8D0CBA0295736D1E2B70422A5F0CCF5847BAC6F129320CD0A153951ED5D366E949120ECD3663F4FFA5319274
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....H.........................`......'............................... ..O............0..P............$..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dptsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.602871119793109
                    Encrypted:false
                    SSDEEP:192:limOmSm69vUyJiX897bABnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArH/qlct:ltmuygM9QBnYPLxsSJeeMkQ0
                    MD5:F1A0052DD73FE9F8951458363E963070
                    SHA1:8B62B30CF42BD6E62044C0C8E228698789B68E23
                    SHA-256:AD581CD4F9CB4F75C25E9197DC7F7D6DBEFA5A1EA8FE95703037FAB41884D1EF
                    SHA-512:411DEC5EC6001E9E9EAF77978904401D11D17FE204E92630D2C7CB00C7DDCA07701DC544CDA465212D566EB89456A25E4265EDE88B5DB80BA4575724144BDD50
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......?............................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.675580717493777
                    Encrypted:false
                    SSDEEP:192:nPjvr2oFr1CV9nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr4FN5b:P9JCDnYPLxsSJeeMvt
                    MD5:F530606DF7E9E007271A6FC63DAAA8B7
                    SHA1:3A3DC00593037E5B5E599B12264369759B3BEC2D
                    SHA-256:3275D6295317BDCEC8E7DA9740D8450F43E4A733DC51AB57CC0B53EF4F18F30B
                    SHA-512:F84FE5D860CFCD17BE4FE047F61460D43F35FD6ED2D1357EB7366B71A69D40008CF83CE6799ECF3500A3BE33F921D9DC566FBEA294F74B7C4760F3C6EC1BE3A7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...?..S...........!......................... ....@..........................`...................................... ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.61477559708082
                    Encrypted:false
                    SSDEEP:192:Ff2hLyWRf73OCvnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArr3wq/v:J2hLrJKCvnYPLxsSJeeMWTH
                    MD5:BC4D6D7FD46EA3935C5725476D380E93
                    SHA1:EBCF2BB696F862AD1EC03D265608282A26DF7B80
                    SHA-256:88B1CDBEAC65C768385C6F6050D2783A5457232A9C10B251E35744F40AB76656
                    SHA-512:C610B8195769F725BE4447F8FF0CCED0FF16377E35D9AAA6E11E34C901012AB31C3B7168127649A991B6E63C90F8AA78E7C4EBEE830EF7FF59C682BB4495C76B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....:.........................`...................................... ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.635680359820306
                    Encrypted:false
                    SSDEEP:192:Aa7dfIvlpmIOCVCnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArpvc:A8fVCgnYPLxsSJeeMV
                    MD5:7DBE781BCB2736FDFD91DD589F6D82BD
                    SHA1:55AECF77A56411611AB784BBE6EA5328539CBFA4
                    SHA-256:B663A431EF61327B97CA5AEDA76D8F61220A16CDB35622C86BB26ECA720A5760
                    SHA-512:AC37A2F0FCEF4779840789126B4692E83C0C913D98DE9AEFDB5886D6CDFFC3810667FEAECE78311EE8BBA76E28D9D494065BCACAAD15309BC1257658F6940133
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...%..S...........!......................... ....@..........................`.......\.............................. ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmhu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.621994870450865
                    Encrypted:false
                    SSDEEP:192:uVcnifhQ5ixDtYgZCVpnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArEov:uyniO5ODmSC7nYPLxsSJeeMs
                    MD5:CB7C991D10C88DC069E122C8BE43A877
                    SHA1:3EA86A8C8BCD38EE2FF2A47836E4E4B82C52673D
                    SHA-256:38E039B5F4141C9C898F244F0F001139F49EBBBF0036780BC4ED5EAC4D44D14C
                    SHA-512:6DC30964B885B8F5B65F711BD033AFA33A0BB3E4ADEDC0C20F4D52A88FA198243192F516B83B26D6B51D8DE4DC1B03C91B2F4ACF81CAAE006AFE52D0E068529B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...\..S...........!......................... ....@..........................`......:W.............................. ..O............0..t...............x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...t....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.668638982743909
                    Encrypted:false
                    SSDEEP:192:cPp1H9xUjm10a1CVZnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArie8Y4l3Au:cPpmi1nC7nYPLxsSJeeM234lQu
                    MD5:B689D018CEBDDEB289F4ECB5DBC64D83
                    SHA1:4DDA4A0A56A964083FA2660C2E89C82CAB412D79
                    SHA-256:A68E10C58AD76BC2C6164AC7AD2FC200CBB10CD0A40CEE12A5145BDD0871B9FA
                    SHA-512:02E1B047B5E6E5EC398EDA707532AD7D5406CA69BB285910FBAF54FEC9837085781060D1521B526BD95A20F7B620070F470D1A19B2804EBC5E685E4099089416
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......I............................... ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3dvmzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13696
                    Entropy (8bit):5.857274135603934
                    Encrypted:false
                    SSDEEP:192:TQ/j3IHuRCVIvnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArRoo/7h:TQVRCWvnYPLxsSJeeMOpV
                    MD5:9F7AD2BB58E6F79CD03B58A06B2B727D
                    SHA1:E51EAEBE43BA6DF471916435303A1B3F845EBAF1
                    SHA-256:01DF9C8187A46B056C39D913C4C2E72EA54F2D8CCB4B4EEA8817BE6AD7636A58
                    SHA-512:BE9B11CDA655E58B1133DFF6EC6DB5F4FC5C7173D9140269577B76B0838F4E87790BB6B1C4677ED82972E3DFFB7F0C8B3B02A32D67BE156978CAC1DB46D18D0B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......~E.............................. ..R............0..(....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...(....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.888747628074465
                    Encrypted:false
                    SSDEEP:192:356aqS35qTnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArKaD7Pxns5kDO:3IaqS35anYPLxsSJeeM/afVckDO
                    MD5:293F4DACB3BFD682ECFEEE0762314D6C
                    SHA1:5BB5574CC985970EDDBFECAEECA223367EFBBE12
                    SHA-256:DD8A170E174DE667F2CA0E532F689C0A61605E68886E25A8404993D48079A131
                    SHA-512:15CD0B273C1ABA7EB714AFF6B9BF852A1AC547214DC9898553CE42AC28C0CEC2FCE1200C8776BE1036A6ABA2EEF48ED24F00B6CE9C68009686FD47E9B0A10926
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......0.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcren.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.88740490466966
                    Encrypted:false
                    SSDEEP:192:kR5r5qSnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr6VGG:k/r5bnYPLxsSJeeMTp
                    MD5:EB91391BC95E7D8A8D5892E08237B909
                    SHA1:49608A04EA0699D6484B2253EF33690A9C2BBCE8
                    SHA-256:003C014F1A246F1FFD7A84EF642D336898E66227A32A9EEEBE65AF81BFEA0F02
                    SHA-512:3453A8DDD2CDA52C9FB4A71AD598E99B5E834F254B6F93234D027D3657219C41A15CA09C8C10D7714082673D67C643FEA467FBADCE3674F8AA998CD06EC76D88
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....H?.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11640
                    Entropy (8bit):6.045019924683638
                    Encrypted:false
                    SSDEEP:192:ejnTv5qpnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAra77z:ef50nYPLxsSJeeMDz
                    MD5:9045A81AECC820240597D6BC74DDA162
                    SHA1:31A14B277874F79E021A393A4E067943A291D098
                    SHA-256:2E662F66F536101EEB43D3A92F1EE5CD7590D1E6B1D35D63C396B368E5D9BD9D
                    SHA-512:D466B34480CCB4A757FE286639D7C8A7648E4A2F101946671DB4BF05FEF0857E33B3437C7AE3E4DA7BAD7882CCD29BC8DE7AC9940F66CC1599596A5AEBD4EF5B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......p.............................. ..O............0..D...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...D....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.83118744255426
                    Encrypted:false
                    SSDEEP:192:O/s1v5qXnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArQe/U:/v5enYPLxsSJeeMqU
                    MD5:79057F12DD53297227D21A99EA389B0F
                    SHA1:AD4BBA7E695394BA57E5ACE5E23E8871D1B5F78C
                    SHA-256:9841F6F6417C05EEF1D65EA5B177925A262B170B64EF8308103E2000B5690991
                    SHA-512:CB035F9F7E3CBE334BB0260DF18452F75BC7F1191AB1B23638C86378A4D09D424D03D8B20DBE9209C1D8A33967676559D12DE2BBEFB19C868ED26964D60FFE2B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....~D.........................P.......P.............................. ..O............0..x...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.894745146563505
                    Encrypted:false
                    SSDEEP:192:myIzJ5qBLnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArIyu:jIzJ5OLnYPLxsSJeeMqu
                    MD5:D54F78F8D8CF6508ED21FE2EEC2E7BF0
                    SHA1:8816D97CCCC3B422B6D7220570F9C40730360E75
                    SHA-256:1A7330E84BD62410BF7CAD17D9B674D1500CF5E7EA13F4DF8A8C64D2406D7BA6
                    SHA-512:F69A8D7812ECF2B79129458DE4CE1AB8E059687B3155F77019F45FB0252F395B98A07B8868933820B074342088E0E798286C69F10B3F153BAA4445E1AB58CE64
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......C............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.077172638353683
                    Encrypted:false
                    SSDEEP:192:jF5q8nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArLV5F:jF5FnYPLxsSJeeMq5F
                    MD5:F9C164B71643EB1C8770AB83CC7C7622
                    SHA1:268B92C0636339A913708EE10AE0AEA00CD487EC
                    SHA-256:2E4F42C768FCCE80CEED4B53F391F64E97DAA92E9504A1DA2980C55F62D557FD
                    SHA-512:6604ACE3C5BB401278679298BD233A35FAD5A2CEECA14FD48045957503436622846D49597D5523B9EC0C24B4D0ED245054A141C123F7F56D8BF9597770D78FD0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P...................................... ..R............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fcrzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.062148227991238
                    Encrypted:false
                    SSDEEP:192:/I1C5qNnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAruM1:EC5EnYPLxsSJeeMM
                    MD5:994BEAE838384BF28E44E3413E38A428
                    SHA1:608DD86D0E43118395416809A0CFD4D9D65CBFCD
                    SHA-256:62D8085DDA314FCAA7B1F6D2DF6EB86D576B183352F82A183E1984FB23C660C3
                    SHA-512:FE56DCEC30C6E7B54E2A59F08AE08295B183BACBB6AED233323BA174BE0A585122DB623CA6F519787CCBFA48BFF2075B966E273D86EA286FB9A6EA3AEC016AB8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L....S...........!......................... ....@..........................P.......i.............................. ..R............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodde.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.758529946612649
                    Encrypted:false
                    SSDEEP:192:eiFi9vmvCuiBy2H97/bnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArXnnu+D:eiFi9vmvCuiBy2H9XnYPLxsSJeeM5+D
                    MD5:35A3769DBD9F7C398067416FC17E522C
                    SHA1:DE9DB63BE3ECC073091B04B0DFFE29460D8F8A44
                    SHA-256:38ADC094079B2F39E617877E807FC1B1013A1F66BFDBC65E489FDE7678B64AA0
                    SHA-512:9885F9C606177F26DB8ADD498363423108EE8E632420025A5E17E89B99C45E1FA9AC714445596429EDE155BD44EDED7BA8606729509AA767F73C69062B81F341
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....>.........................P.......6.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3foden.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.838150104513152
                    Encrypted:false
                    SSDEEP:192:YnQnw9yH97/anYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArKbq:YaH9OnYPLxsSJeeMZO
                    MD5:D20F04645429E05B61DA01D110481B61
                    SHA1:71A3900B40EBCE48FA18D62ECE533B5D94D00FC7
                    SHA-256:3BAFFDE3837A06544D9E9663CC50AF7C6DAAD004487058AEAE9D68AA938E6B31
                    SHA-512:785D054DCD72E09E210077A1049A817652EA24231CBE151EF829DE753F216491A89256C0E46F2754A6608FE41B943F0C8A829B0C1AFB82003381644B2A5277ED
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...r.S...........!......................... .....>.........................P......)............................... ..O............0..d...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...d....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.738313662694389
                    Encrypted:false
                    SSDEEP:192:jgXly3bZPvjoruH97/EnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArK0pF:VIuH9AnYPLxsSJeeMn+F
                    MD5:4DEAF97A1B7617B6FE80460AC8CEE756
                    SHA1:63DADA4AEBEEF7951B7D45F844B2C4658BF3CBA4
                    SHA-256:FE261929718088C8881E760A4F37CE11798AE42F48262BFCCC68330B74FB810B
                    SHA-512:3D220B61EC6ACEAFB290CAAF3B31E02612527335536A080DCBA273CB3395ACA33EA134F3D4BF278B442C228C4CD7A4DEDD7DA9E69EF7D6C9C0BBF5A50B44B8F9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....#?.........................P......f............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.828859604035011
                    Encrypted:false
                    SSDEEP:192:iVlDiCbxEobR2H97/LnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArkwYhbz:iVlDiCbxBbYH9fnYPLxsSJeeMt5
                    MD5:CAB70FF4A2ABFCFF93BED459A3A1D4AE
                    SHA1:2AB9CC53839648A099AD864EB03FDBBA9061061B
                    SHA-256:7F4488D89EE70C0D9722890B06160C9BFC10EAF92363C6EC976D02F9E3117AB6
                    SHA-512:E34B5297C21FE687766163AD494744E4B9DD096E62F4960E8DF14E0F724611E27E6AFB19014E13B87AD5BC9439FFC617B77EF566672AC2EB38F020AAD1A5AD24
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...s.S...........!......................... ....@..........................P......n............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.8010954482226005
                    Encrypted:false
                    SSDEEP:192:Yu0WYXwH97/2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr9wiyg:KAH9KnYPLxsSJeeM2
                    MD5:2AB7CA34177832D9E81A3695C66DF5B4
                    SHA1:409A1712D65356245D1717E88671F0858C752051
                    SHA-256:7F3BD6D94DC463FEDD0A98D9628B071516F183E13D303BC1B61EE169DE930BFC
                    SHA-512:F61F5A9A64C2F6D382557A5FB66B571ADFB97B50307007653A647B1EAF3A10E9F6B5AB1114439B149C01E02A7F76AE2FA24997E3AA732DCC9406AE570D5E4901
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....jC.........................P......z............................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fodpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.75982437873881
                    Encrypted:false
                    SSDEEP:192:gTH97/InYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArsAlied:gTH9snYPLxsSJeeMf8
                    MD5:E90E766629C935EE41628AFF5BAEBEA2
                    SHA1:588D90D8FD1EF041A16226F6C9A0CCA52C382237
                    SHA-256:129F31F425917C5A11CE4E749E0E494F69B18276D22AA5ADEFA44E6A0F881092
                    SHA-512:8DD6371E1D9BBB36AB7BE29AC8D250BA7A0B485E678BED676CB052E1B5789C27010D0BE02C77B470EBB4E5F47E1150649DE753ED9C1BD16D14BA18876A8D8834
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...>.S...........!......................... .....H.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frccs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.830562311406705
                    Encrypted:false
                    SSDEEP:192:kkc1LPKnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr8ntXr+:kkc1LinYPLxsSJeeMu
                    MD5:79736ED2B74C829EE67B5DDAD964645C
                    SHA1:4BA4A43D97CF1F58A75338481D90B26F4920B6D1
                    SHA-256:8F11B4672914925AF7F2F6346EEC64BA430A0A614D33C01A5D240CDA3ACE6615
                    SHA-512:2EED79D42C87BBC5E4A6BC0B3071160247BDB23C3A195CA6D485B08ED6D4BFBE392FCE62039823AC4AB8F45D5C654097C8AB5C9EFAB6239C2D290DCB64A2CCA6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...d.S...........!......................... ....@..........................P.......(.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):5.815903491634561
                    Encrypted:false
                    SSDEEP:192:sIkssmErEPLPYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr/M+Q:Dk4woLAnYPLxsSJeeMmQ
                    MD5:6F3EA0FB4CF9946C338BDE65FBCE6B8E
                    SHA1:97C13C80A200BC818A57451A038B1A9F558164E5
                    SHA-256:DE699AA11E7601A52CBE7F83C721428C807287DBED0AF900835A94CAC3025B67
                    SHA-512:38C4962E781E504654A52C4CD5F6D4AAD6E005BBE7BFD8251ECB0508D9AFE980652324A1CDD477553F25E394936D072919E5945DF7A6CFF69D43F076C1DF3CFA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....9.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frces.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.822993840097214
                    Encrypted:false
                    SSDEEP:192:HBkkOAewLPrnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArrOM:hksLjnYPLxsSJeeMg
                    MD5:42D91C9C72370D0668CDBE5C51DE3BC0
                    SHA1:9ECE6CA17879202AA8A303AFD6930DB76A2A11DF
                    SHA-256:B0A904EBEAB8BAA9B39437EF05400580B407965AD8DFB4147ADB9AB11703E885
                    SHA-512:900E68F493C35567031D8FE696BE2E374F4A1E884D4F2211F9F8BE3D798960A44D92871787E358C00490520231E801B5AD96AAA4353614064E494B097DA2F482
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....9.........................P......hR.............................. ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.796356186905116
                    Encrypted:false
                    SSDEEP:192:cknI7nXfLPfnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArsT3Sx:ckEXfLnnYPLxsSJeeM5ix
                    MD5:D62CAAFB10AF3353F446A737B07C7A6E
                    SHA1:EF2C3B8FE7A9A40B88D4680F5CE9D7690FA69448
                    SHA-256:004188B33C121EEA688074A91CC65C075AE9B900CE0DC699741CFD450E875352
                    SHA-512:B5150AFD2DD3386D36DD25F2FACF1B0E2D3CF02C8D2B5793479B24BA97CDD6AC602F98BDCA5B84EE9F0018C767149FF57F4328F025E06CC866DE169F991CE650
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....:.........................P...................................... ..O............0..................x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frchu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.861071403943418
                    Encrypted:false
                    SSDEEP:192:I3WkUjwiN+px+pZLPFLnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArVDo/zh:OWkUsk+px+pZLtLnYPLxsSJeeM4DAzh
                    MD5:6480BD6F68C1447B9A31172DFD26C4B8
                    SHA1:B5514C0F7FDCD243414659944EF38B26820BB349
                    SHA-256:07648DDF1D2AB73AC7620309DD8FD63A5902EB5489F742A07C99FD7B0F41EBD6
                    SHA-512:BE0E85D648558C580DA316C158A6F177E06996D34F83E67B4F9C98A4202B87DAABD233D9D68763FA8F981332B4EBFF5BB67A60F7F3D0FCB49BBB70AC2E09565C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......}.............................. ..O............0..`...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...`....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12152
                    Entropy (8bit):6.037947228260047
                    Encrypted:false
                    SSDEEP:192:YQSkdkljQFLPpnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArjiTby:YQSkdk8LhnYPLxsSJeeMkey
                    MD5:1956D4FE683F86398A38C4391FA34C69
                    SHA1:25F13B881EB1C72836F7300A3A085E8AD05C6916
                    SHA-256:DF78F8D8107EB07B4B8423FF085764BCE336D3D2D3FC342FA1AD44FF8E43B9BB
                    SHA-512:AF7C344A61887BEB3089A398CBCD91BEB1072AC38C4CA3ACFB55EF3724AF1F4DE2FE06AFEBC479B9C844D9C905F9D426B2EC727948AAFFBD665400B32393B21A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P.......(.............................. ..O............0..4...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frcnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):12664
                    Entropy (8bit):5.8401173642632624
                    Encrypted:false
                    SSDEEP:192:8kS2Q9nLlLPanYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArnh3:8kO1LlLynYPLxsSJeeM2
                    MD5:B3DBE94D30B3D1D75849090E32B60B1A
                    SHA1:B159AE5DD229C8B80421B19705E748FF153E7018
                    SHA-256:21990A338EE93D645223EC4553CC9DCB766576AE125673FF30919A8C9A30A4CC
                    SHA-512:BB6360AE398782B7AD0197622E1003444FF9E161EF9A45FA46E8EF6449778988DBB11AC89ACEF547511F740893D69E928BF50960F8A3811919E26E722E38EDB0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....<.........................P.......T.............................. ..O............0..P...............x....@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frczh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11648
                    Entropy (8bit):6.023008109073578
                    Encrypted:false
                    SSDEEP:192:yk5tLPXnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArdUxlNB8:yk5tLvnYPLxsSJeeMcm4
                    MD5:0F15B0927AD85CE2576522DDB2069A09
                    SHA1:E9AFBB78112428421E0816429B49DF43CAB041AA
                    SHA-256:1FE2F3690F0EC6A0FF82F0A5D57BA7E8F35A3B42961548DA4BB34A836474A371
                    SHA-512:A5A1D70C4F0AE3943C4A6C53E6F37031783E4F17DEC2663C164FB79FECADFE7944ABB5EA29ADB9425C3B97604828043FD45F843AED1EEF6409DA654059BE6A63
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......2N.............................. ..R............0..4....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18296
                    Entropy (8bit):5.366278679166387
                    Encrypted:false
                    SSDEEP:384:PtuVt9vQVX61wXF+x3pDEnYPLxsSJeeMvC:P02VDXF+x3dEs5JGC
                    MD5:4732AEFAAFCA80A6F4BA165C6733F3C0
                    SHA1:28A22003DDB587798C6DB53F5DB0DAAFE7A51D64
                    SHA-256:537904E2E5B0EA6819DF750F5B47E1052CCB6E35706984E14FC1247106ABEAF1
                    SHA-512:C01292B51CC51506A755B9F491F78C2EA2A226D8BAD2E7677F3569F7EBE138D40C8153C2E2D5F08ED6CCE847D72B7E93D7AE6E507BBEE0A9ABCF7CD3ADC5DB28
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........(............... ....@..........................p..................................... ..O............0..."..............x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...."...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):6.061028208422956
                    Encrypted:false
                    SSDEEP:384:LXEJW/9tHo2KKl+pDFnYPLxsSJeeMLI7U:LXEJW/9tHo2KKl+dFs5JUIo
                    MD5:2175DF5FB2C484E1B27B7F3CA57070F2
                    SHA1:31F5CB888AD7E1707A83648FEF6595A14E6AF89B
                    SHA-256:6AF199FD9520424C787731815F7949D40C1732DF3443A92D8A0CD762FDE02DEC
                    SHA-512:239D5FC43E75C309E26D8ED395B7A4E7391F38F123008ECC33128C4386F037D9D81B534A3532EB1947F328C4E3893ECE86EA09FF9E2FFC5BD6B248842D957F5B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...t.S...........!......................... ....@..........................`...................................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):6.070998507270968
                    Encrypted:false
                    SSDEEP:384:jAoj6TDI9/s0XZapD8nYPLxsSJeeM2mme:8KWqXZad8s5Jjmme
                    MD5:0574E81FDD904F21D587D84750556C37
                    SHA1:079FFB9D8FDD54C3A4A09CC0A879F077FB6079DA
                    SHA-256:A9299405CA952267CE46CA6729221284CFB02023496044CDADAD2EED87BC6886
                    SHA-512:648AD225C24C1D69F49D8233DC253AED63264916992FFCB34C17BA04A2C898AD1C7088B3102BD06BB95D30D4A97ED61750674D6A11E3F2123B81A1A0E0BA1458
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....<.........................`......a............................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.263720784291414
                    Encrypted:false
                    SSDEEP:384:eOeu+Oeu+Oeu+6NkK3FZlr9epD1nYPLxsSJeeMZERo:Hsd1s5J5Ro
                    MD5:A01A2F62F84795867F068DC389545D66
                    SHA1:48CFDD80ED4A98795DB3D4441E2DB9135DAD105E
                    SHA-256:53CFEEDBF88B2DD3814C7805202BD443709B6319DF5827E1B5D92A249DCCCD68
                    SHA-512:566FC6E98D096036C7A263EDF60A128B8ECD6B21FE7942964CD3D30FCDE860FDF8D32704FED6E760353A1C4DBD343FDDADFF64B12C38053F0C011CD1380CDE82
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p...................................... ..O............0..4$...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4$...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdnl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.23673296567112
                    Encrypted:false
                    SSDEEP:384:pF2r0e40RhRmj+QMHXl0APsepDlnYPLxsSJeeMBTj:pk/hRmjfMHXlpsedls5Ji
                    MD5:4005D86FEF06E9BDE036123664073476
                    SHA1:BEE0AE9252A09346CCE155EE1BC68F21DE26B634
                    SHA-256:AACAC7D5017F1A406B7CAAFD7A27AD67F065B0E81CF52DBAB14F399B5677A4F1
                    SHA-512:DB6B02E4BF03C2588171A3D121B6797E924C39D8DB3B305A0ACB3829472FA1C31C04CDF1B6BE0739820940EBDC9E71545CE6AAB6A219239570717BEC58A405C4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... .....=.........................p......~(.............................. ..O............0...$...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....$...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdth.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):17784
                    Entropy (8bit):5.7840539564078135
                    Encrypted:false
                    SSDEEP:384:Q0Ba7d1QVX6x+vzKWcRpDwnYPLxsSJeeM1P:Q0Ba7d1QI+vzKWcRdws5Ju
                    MD5:05298DCDC423379BB49E63FFEAC868CA
                    SHA1:A6249F4B3438B42FCB75F285F750C72EFBD70827
                    SHA-256:FEE930EE4EFBE09CDFEFED157092BC1DEF366D6361ABCA55538991CF6164B29D
                    SHA-512:283CBCC1CD2243CBC5B0AE007FAA6E1F978CF1EE29C75D8E247461A9C6D56AE4A69492C673A80FFF36CF165ADE42D0D2B83C8C05FFD616AAA609E6EF53AC96F8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........&............... ....@..........................p...................................... ..O............0... ...........,..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc.... ...0..."..................@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdtr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18296
                    Entropy (8bit):5.3725201600471255
                    Encrypted:false
                    SSDEEP:384:MBKKl2lPxkPB8LbAG3IgRsCpDxnYPLxsSJeeMHX:a2bRFdxs5J8X
                    MD5:8B26BEBC746455E577A5AC2ADB40290D
                    SHA1:97116E2234008748EABB07EC3189FBAC36018612
                    SHA-256:5F7D69E13FB749EE89802EE531CF3D39A91E71033AAAB1500A07C3A2C86424B6
                    SHA-512:991A01AA2412028EEBCF34590052522A14D2B1C6B9EB550FD80D42D356D99485EAE2B1A479A63130A9148F789EB4C70BCEDB9D6FB5DC467372F77930947BED79
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...).S...........!.........(............... ....@..........................p......v(.............................. ..O............0..<"..............x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...<"...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3frdzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14208
                    Entropy (8bit):6.074499133327768
                    Encrypted:false
                    SSDEEP:192:ogTdVZf7xlj+BWD2YpD6enYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArD9vUx4Jgd:V7xltpDPnYPLxsSJeeMG5K
                    MD5:7F69B47CB47384E7C2B51E3F6335E289
                    SHA1:84E20CCCE6E64ABCACE8828972B673A5D8BE15C6
                    SHA-256:7C64D4B01F3CA7973EED006CC745824E9BEDDE7CE634B30BA2CEDA00CAB4D6DC
                    SHA-512:8CF24089723448828B22921AC551B1794710DFA38C2BA155153BFC124AA6248642E0D40A3C638C0785209BACF54655D0941E4D1EFEA5B17E8A06AF8F9EF2F1BD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`.......B.............................. ..R............0..8....................P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.614451399857068
                    Encrypted:false
                    SSDEEP:192:XMrJz/6sFMnxnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArnonghZ:cN6sFMxnYPLxsSJeeMaC8
                    MD5:0BF30AEC667A358FACDACFF3AF400B82
                    SHA1:8F64AB3EB0E2228BC33922DD98AE0B54ED74CF33
                    SHA-256:0507BE57EF8686C3550D82D36B6BA1E69EA996B30CC3E99D7995F2DEF7A08585
                    SHA-512:46553F1E0CE0FC18BA9C7FE6DCA1ACFF47F12042746B25DD15E1FEE9F7AF6BDDB790BD5F8914D1BAD875673DFA67F81B647E033E72ACA2A6484CC2E6A72592CF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`..................................... ..O............0..................x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvde.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.574640026725875
                    Encrypted:false
                    SSDEEP:192:wW7+PWAQ9+4FMnRnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArz0zVe3:rGQs4FMRnYPLxsSJeeMbY3
                    MD5:3090F6403E2D3A88FA99B23192B541D4
                    SHA1:1C3C96FC880E15BA24E3B4F31006BAEED674C025
                    SHA-256:626D46B953F46B5C2FA83A0C69F56CFA80D68B2C27909CEC9B2F333FF5CA78F0
                    SHA-512:F4DA515F518FD8BC0C5924C5E26D951C5A21072368BC09987A039FDA2B51A416463C548A410449A57883163799A9BDA1C64C36146D130E2098E163B96DF70070
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...x..S...........!......................... ....n9.........................`...................................... ..O............0............... ..x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsves.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.572793498921576
                    Encrypted:false
                    SSDEEP:192:hAUPLZKA/NFMn7NnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArpyiSZ:mbA/NFM7NnYPLxsSJeeM4yL
                    MD5:B78DDFEC7C974F297A154FFF224407A3
                    SHA1:1448A9C4A57750309461E3001125B3BF2E808128
                    SHA-256:78765033D4A472388AC1B6FF163010FB3F607DF872D01EB313613AA049E515C7
                    SHA-512:19944BD8C487FD6518FDA457C5212149A7CA00828601ED3818B26A4B327222EEF4DBA2AE9B5A71A1AC33C064B4F891F1ACD6578A0324F77C70F96C58B0B8FC49
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....:.........................`......AO.............................. ..O............0............... ..x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.589929749212328
                    Encrypted:false
                    SSDEEP:192:s95sGI1udqqxE7YFMnenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr45sN:cc17YFMenYPLxsSJeeM3CN
                    MD5:C22F3B2EEECFA518194F9D416B784B0B
                    SHA1:E5EDAAA46EF69CC45EF8987E229144358587FF4B
                    SHA-256:8EC26CAA5E1088326129A7E3DC8595EC4FBA0C01727E7A31679E6748B2EBC099
                    SHA-512:7B9D3E80C785EEFE966DC7E87DB461560BCFA61451E3ECC83AD2ED380800AF316685F44C60CB3C49981725087BC99E2E0A57693F9C0D0366C540DB8E99074841
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......wf.............................. ..O............0..8...............x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvfr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.496937994340081
                    Encrypted:false
                    SSDEEP:192:r/dIWqKXHf5sYFMnjnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAra6i5CO:JqK3RFFMjnYPLxsSJeeMn6BO
                    MD5:CA8B75353F9AB8408D05CB6755AD4657
                    SHA1:FC9386E5F371F7814575A03B11A5653307F28DF1
                    SHA-256:D8EC420938C669B8D23EE252A630801E5D795BEFF7A4C593BE8C113038930837
                    SHA-512:5F76D02078589688E599F2C83198256080643DE8FB73A89CE00210C2D9DC7F5E6662A373AF7870F03372487FE6A7060F7388F5198E857CAE1C16DE5E629243CA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...t..S...........!......................... ....Y:.........................`.......-.............................. ..O............0............... ..x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.533725474913048
                    Encrypted:false
                    SSDEEP:192:5dWtyyz18ClJn6FMnERnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArgVRp3:+o2Tz6FMERnYPLxsSJeeMrV/
                    MD5:A190B72C4999B19F8EB5E5292E497CD2
                    SHA1:1E26DA4C70B1FED72356C42BD6FCB98E8C4477D5
                    SHA-256:1A22CF86EF07009E1B31366323ED06DA9BDD9919D0FE6F8F9FDEA268D9DA2B8D
                    SHA-512:924F8744EF586E95E05942507D6380AF0E620AE338C0D7314539CD5474C2023364D95D6ADFE75EFF8B0075FF01756B442AD9AEE8865A7E69241370482454B346
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....b;.........................`......q............................... ..O............0............... ..x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13176
                    Entropy (8bit):5.924133261723057
                    Encrypted:false
                    SSDEEP:192:vWXbRIQFMnvnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArrM9K:eNzFMvnYPLxsSJeeM2
                    MD5:58F15A52A6AC83051EEEE7791A272827
                    SHA1:E5A774D6D8891CC785872874C795199465549E24
                    SHA-256:BA2B095FEFBA3282B0E2B07E603A162672DE33F96302604EB30B45B52E82C05B
                    SHA-512:4D2EC91A7D27F814EE5F0BA617E97C618E0FCAFE67D47F539E8D903FACB2F2A9548D7F00B8AAB0065A0B84BC39A3C1B53AC70802B13593C8537F582C9517BE6F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....<.........................P.......}.............................. ..O............0..................x....@....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.6095033490260136
                    Encrypted:false
                    SSDEEP:192:oIVl1FVdWzmVFai/FMnDnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArOmiT9S9:HVl1FVdq4FMDnYPLxsSJeeMDmis
                    MD5:142913ED102EAF359272995BB900B197
                    SHA1:317F170F2063F7B3BD4E354EDB5F2D46881BCB47
                    SHA-256:0FC407607FFE56E5497D8381C62C5F3601DB3FD010B909211A1232E93504F1AC
                    SHA-512:27A6B7D89356FAC9E7887903B9AE7BF2EEAB939F48B17A6E3174C04F1C5C799E625A62EBE27B7F553FBA127967FF7ADD825029167CBF230B07B3D5292DCEF4C1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`...................................... ..O............0..................x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.624359419199397
                    Encrypted:false
                    SSDEEP:192:DF0awUrTzHFMnynYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArldPD:tw8TzHFMynYPLxsSJeeMA
                    MD5:D0E4B50D6ECA286EC3912CDBC1FE3B06
                    SHA1:2B771FB4E5E22528620796E80C1C9B853D73A775
                    SHA-256:5589949D9DDCB71679CAB657DFAA72E4D501CF8FD9AE84459139572F67B2AAD5
                    SHA-512:8EBA564A4C0D361649FCD60515CB5A078075AE789355084AA7442A264BA9D4AEAD8DD5DFA6E05D9E103893A8663CCD53844B050E6657C7C507DE5EF3A8924006
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`...................................... ..O............0..0............ ..x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...0....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvsk.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.612374424532895
                    Encrypted:false
                    SSDEEP:192:no40YLCuTiETmTZO6FMnGnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArvX:o40OTiETmTZO6FMGnYPLxsSJeeMw
                    MD5:BE65E7C974384F200981EF005C3CF969
                    SHA1:F397FB7F71D4A059CAD6D16EA89D9F6DF9A347F3
                    SHA-256:8B6AE5F79D1FD21D6091D24BF17C0D2AB21C87D70E27BCDCBF4C6FDDF8DA92AD
                    SHA-512:46D012694305B9FE5EF33818D610FCDF0AD91A132CDBAFB3BCACE3A29B2B28D039D8BB758A67267025079F6BF5A51A7118789E4106D76BFACD1E8E6A7192B991
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................`......t............................... ..O............0..................x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14200
                    Entropy (8bit):5.591143877185455
                    Encrypted:false
                    SSDEEP:192:p3TXDVMXWGhCDFMnjnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArInsKZHN:lXlFMjnYPLxsSJeeMfn1ZHN
                    MD5:EE2336A6393FD74E9BE812C8055815F6
                    SHA1:E239E8DC00185691F3CFD9955791FF26D0F0E8A3
                    SHA-256:F40F845CAA509291B29998921500C8EF285E0823A7D9976825F17E229EC3F30B
                    SHA-512:8C9E7F3A6CADEA83D46CB48833E4E094AB3721DC01763CB69E5E8A20BF4D02FE066DD0D57D5B5C8F02E53519A277D3E14A84C5E18C7BA2068B564E5690D416D7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... .....I.........................`.......U.............................. ..O............0..P...............x....P....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fsvzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13184
                    Entropy (8bit):5.950278206580463
                    Encrypted:false
                    SSDEEP:192:BxC+12FMn4nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr+ih6:GRFM4nYPLxsSJeeMVl
                    MD5:0AABD3193862FF3098F84F91EC79BC8E
                    SHA1:E3B99DA84A39F10179090DE9FE0E665885D62899
                    SHA-256:606A45D46C5A319D51EEFFB90ACADF010626599A972772409E094C54BE2340E6
                    SHA-512:EDCFF363DEB2110C9E879549F556DE9174D24AE1B8E98B965DAE0552BA3E08A7F493DAB48E2A8F4F03E36FECF0070706E193715EC13D1B6C3EE07F4D43D9EADF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L......S...........!......................... ....@..........................P......>............................... ..R............0..@....................@....... ...............................................................................text...:........................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxen.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.423908205008346
                    Encrypted:false
                    SSDEEP:192:QLMpumdf+0Ys9O/rnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArbJG:2MK0Ys94nYPLxsSJeeM/
                    MD5:5DDB9A7DA94826888D6001BC903894AF
                    SHA1:B9CD4A868770B52FC1B42D078AE667C8B16CCB05
                    SHA-256:EFF15959AEA76BC060B8335E0EFD0FDE50B33A105DA69738F6C5C5ED9D2E205D
                    SHA-512:B603CF0F46D6988FC114B696766B64FB832B78CBEF97337BBB6546D29DFFC380032FF081A0E0F692BA1DE4DFB0B4693A15D7E607E26949A9C00F4C2F4FD79EBF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....=.........................`......|............................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.934447392365038
                    Encrypted:false
                    SSDEEP:192:osvOpYPkaib2vP9O/tnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArv+f5:PvOOk89KnYPLxsSJeeMU2
                    MD5:EC4580E46A0B6EF7D84FDC38FC7A1A5E
                    SHA1:9A6CAD5E0D7A50336AEBD4DB24E592772E5757B0
                    SHA-256:314A5FD7098C940A437F8755E4A9806949B81E3C69392229D39236DE3D00F6B9
                    SHA-512:301A552F7ED0FD8D64C8052B1EFE9C68E060E44308998CCF53DDF6DFFB4F3611B73D1EC6E5B494846B73F838DF5D74869D1AB26F4CD0588CE95A6E21427E626E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`..................................... ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxko.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13688
                    Entropy (8bit):5.995584311212312
                    Encrypted:false
                    SSDEEP:192:SMp9rCT+KvyJ9O/unYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArF72y3xtI:7PCT+WyJ9RnYPLxsSJeeMo72Sxq
                    MD5:1C84567801A9505022769202B1463D64
                    SHA1:DD641AC261404E39B4F097362C1DA8E0F63E28BE
                    SHA-256:49F2C8BC35123B1B3D7779A54137A49AA0A0E1BDFF6ADC716B95591DAB97150B
                    SHA-512:EC9A50B78CC485E6E33987B973C3FDC129CE6BE42A32097668C304DDCC2415949AD4312F150A0134517A368542F46332F9B2BDCB8852FCBA2B8BFB07102B5CB6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....?.........................`.......j.............................. ..O............0..................x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxnb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.457466797665743
                    Encrypted:false
                    SSDEEP:384:P1FVl101gLrKcN/I6Oc30r9qnYPLxsSJeeMqW60:aWLHNV3wqs5JHW60
                    MD5:8C0901B9124DF69ECC85383D14BD3385
                    SHA1:6D1A7228CB67E92294245F10B0A0C5EBEEBE835A
                    SHA-256:5C1977003A6AE1301F5C5EA7A8B0AFCEEC5C442E3263CEE295286571794C245E
                    SHA-512:7651978E0CDCCAD71CE572A5C3B2CB1CE156607AD994E193D0F281F5495EF04B58F367E8DF29BE57FB70A1C66136B0BC1B8D88AD6EA6765AF51323A590E864FF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`.......<.............................. ..O............0..|............"..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...|....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxth.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.876023201413132
                    Encrypted:false
                    SSDEEP:192:5BdUppfa5sfnmsLXKs2i/8eglREQ9Ql9O/snYe+PjPBr7ahPO/d3BNJzr9ZCspEK:6pmRshgA19TnYPLxsSJeeM4CA
                    MD5:E8D1EBA781A8829CA2F46176EC732564
                    SHA1:35B36DCA28946D723088F9357FCDC23CE4617116
                    SHA-256:FF21CE79CA8C1BACE4A20B98AED2ADCF7D3635D078B5567D27428BD81DE6E0D5
                    SHA-512:ABC1FA2D6DE2BFB94ACD843828B06DCCAD92E8D6A5634C86882323376322DCB012B45B84040E357EDE0E06846FAB6BC1EE2E520422C948583CFD7F02930407AF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...".S...........!......................... ....@..........................`...................................... ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3ftxzh_TW.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13184
                    Entropy (8bit):5.978319862747916
                    Encrypted:false
                    SSDEEP:192:ZfQpBefmS26DZ9O/wnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArlW1pL:CzSJZ9jnYPLxsSJeeMmql
                    MD5:9CF1A73936CA04DE692BDC0675123CA3
                    SHA1:F32AD35FA15F6C24E9F8AC31A663FFE6D58D4B1A
                    SHA-256:EC940E4B962CCF6ABE578C18FA369BB40D084061492A94DCE590BB64E428E954
                    SHA-512:D7B854FEE52223F2381D178620AB8D128BBAEBE0F84F548672E60460FEC4CBB260A21E171617046140E06B0D8B67E9031D122DBA508095C27707A4DF43C10DCE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P......[C.............................. ..R............0..<....................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...<....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2cs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.029788563870511
                    Encrypted:false
                    SSDEEP:384:Rlh1Bu/3/Q4tdx579CnYPLxsSJeeM5cRR:HLW5Cs5Jp
                    MD5:C6A0DD8C14E7B3D963C3235E801EBD2D
                    SHA1:839EFF27E056C269F892C708ACB9DDC917D0CC2C
                    SHA-256:C23A125E6115D3A5548B5BDD3EDAA6662D3534F77F570DC603A2E41C95C48CA1
                    SHA-512:0ECD985EFEE0DC626CF30031E415D026D38AD30D6B7C4D1E291AC6628EA7E4E0B70A62A2ACFB214960E44E0CF19A000F5E1E3548FF902A7DD9EBFC97B35B331C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p......OR.............................. ..P............0..T%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...T%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2en.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.026106922877151
                    Encrypted:false
                    SSDEEP:192:FFUh1Bu/3/Q4u9obWnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorotQz:Fih1Bu/3/Q4u9XnYPLxsSJeeMRm
                    MD5:4304D90546F69B79C6539B96625F52DB
                    SHA1:ADBB645CEB06ABD749FF5ED16A94C8701C6BABDD
                    SHA-256:B31D63D8FE4A4D18E4871DAC97FB381B088457F6957B0F72AC91B33DFE71536E
                    SHA-512:F11B5B548833A0FBCE2B14EC208694D8C50D82652B6B764908D8524A31C88B14A524BCFD38DC5396D96593B328D09984917952B2D444A81FAEAAB83EFE2DB163
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p......g............................... ..P............0.. %...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc... %...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2fi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.027396813122133
                    Encrypted:false
                    SSDEEP:192:0sh1Bu/3/Q42+oqkW/r9obdnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorPd:nh1Bu/3/Q4+U9MnYPLxsSJeeM6
                    MD5:C8FC0B4F61C04D355853367E481EF93D
                    SHA1:3E44D55ED3CAA048078D5C38BD6878E80A06242B
                    SHA-256:D88725FE06390970691092505E6CCDEEE4C428FA465C089670B99964D8D1FC7E
                    SHA-512:E1C18FABB383E412AC324C78803789C83E03302C0AAC8ADAE1EABD49DD6C11D02823572599BCE162FECFA043B46117630915397CDFA653CFE0B546A2F34FBA1D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p......lH.............................. ..P............0..,%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...,%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2fr.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.9814246863628595
                    Encrypted:false
                    SSDEEP:192:5VIh1Bu/3/Q4D49obFnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHor3SP8Vf:kh1Bu/3/Q4E9cnYPLxsSJeeMySPQf
                    MD5:65B04F8CDEF719145C12776BFA7EB124
                    SHA1:D593C00D1A810C1FFDC1C3E8A82BA125A41FACCA
                    SHA-256:CF622248121FC00BC327E28982F9B5C305013F007F736BC839DD528A4E3A0353
                    SHA-512:364C2317000BD1BEB7F6C1CF5F4F284480BD523E8C4DFCF309FCAD0EF28F28291C066E10BA546F0A519B725C2AB12E4E64B85D4A952C3AC4BEB025F0F6316F2A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p...................................... ..P............0...%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2hu.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.032841086903415
                    Encrypted:false
                    SSDEEP:192:gv4rh1Bu/3/Q4Wbx9obInYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorQIC:gSh1Bu/3/Q449pnYPLxsSJeeMpp
                    MD5:939F832C4DB73FADC29B740B6F1B908E
                    SHA1:FF4667F5C21BE4419AF4EC51AF8028E731955AA9
                    SHA-256:F981BBB54BC4F76D626F70FF7AE60B93ED46B3058D963CE66B4B4D727281EB09
                    SHA-512:CB6EEE12E9DA748ACFFAA525FE90697C43F99483D02B8B5CBB802D738CBCF831D1F213144CF8BB2511A92F85E3BAB27963D92115AFD0121300FCA3C46A998B23
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p.......M.............................. ..P............0..H%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...H%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2ja.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18296
                    Entropy (8bit):6.107920358322189
                    Encrypted:false
                    SSDEEP:192:skmh1Bu/3/Q4G22bP9oblnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorbCFBu:Lmh1Bu/3/Q4G22j9QnYPLxsSJeeM6f
                    MD5:C50E1FE6B1CA5385EB225DC428B18E65
                    SHA1:B69DC500BD22418533D9F3A9E3FB99F0901485B6
                    SHA-256:27C5309C3852245E054AF9C1D61FEE0547F817A270DAD2385A70E10063540C42
                    SHA-512:3C5D8A56D74B8CDDC6F7CE7FB0A63CB868F53FDD02310DD0DF0437DD4A96B65805A57CD104E2D130CDBCCC3AC2A33D3B33435EE9E1D6453E6AF115DB0D257F01
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...).S...........!.........(............... ....@..........................p.......C.............................. ..P............0...#..............x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....#...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2nb.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.012156915414429
                    Encrypted:false
                    SSDEEP:384:ia9Ndt9Wh1Bu/3/Q4pX9WnYPLxsSJeeM2+j:CLQtWs5JR+j
                    MD5:498AA1F396A37691913FC36787872C9C
                    SHA1:830E5D942DCC9DB1349ACDB3FA83F3811F22A13E
                    SHA-256:CDA2B1AA04CFC498E4C4773167E47525F43674DA049360F3E3DA295E1BC6B330
                    SHA-512:8A6B732F18DBF781AD267C16F2B3FC75BFE56D97435B6E41599F128A448E7D5E98A47EF16CF433DCABF4951073A3A41149557461FAFB186B1009224F8B68DEDD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p.......q.............................. ..P............0..x%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...x%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2nl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):5.993908354842756
                    Encrypted:false
                    SSDEEP:192:jSh1Bu/3/Q4qxS9obLhnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorC8eoF7U:2h1Bu/3/Q4q09GhnYPLxsSJeeMh8NF7U
                    MD5:00BC20C38CA4DFE1F9BB63F994FC92B9
                    SHA1:3E359D3696D4DABC72CC4EEED0E16E9AC1ECAF54
                    SHA-256:97263682D597C6EB382D2F6AB41F0A23F57031EC101DF846C4D96C394D3E5D69
                    SHA-512:BB9B93548BD845F0DB6D23573583957196C268E203D3590ACA80AFE46D4528AE2FA1964772137939910AF5C19D52D196D2FBE0021E89B402A153E03C9CA99D22
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...].S...........!.........*............... ....@..........................p..................................... ..P............0...%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2sv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18808
                    Entropy (8bit):6.031749296762309
                    Encrypted:false
                    SSDEEP:192:+78h1Bu/3/Q4//6B9obYnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMHorLzYI:+wh1Bu/3/Q4/w9pnYPLxsSJeeM6/
                    MD5:FDA62C328C887D7022FB85053541BF76
                    SHA1:A9A447F34F24C2844011ABD653DBB1DDCB6F3374
                    SHA-256:E00ED7C4769ACF758B6F1E06E67F30A54DB420C019A34002C39CF122CE2BD862
                    SHA-512:508D1D879ACEBB5E267A7787966AB749F0869BC7EA70004CFA2DC487B0DFBB3DAE2143DCDC14054F8D3C8CF5D14E688CA1522965B07CA452DDF54199C97D3F9E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!.........*............... ....@..........................p..................................... ..P............0...%...........0..x....`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc....%...0...&..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxm2zh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):18304
                    Entropy (8bit):6.12371726300395
                    Encrypted:false
                    SSDEEP:192:LGh1Bu/3/Q4vZ79obynYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMgrfFrs:qh1Bu/3/Q4x79fnYPLxsSJeeMgw
                    MD5:29905C91C8AA178CD59BD7D9A1715A75
                    SHA1:73FB61563B2BC8966E1273CB2E18FC5E16BD4741
                    SHA-256:66F5DA36CF241FA2ACF7A0C91CBF8C4A8ECA36139029E381A84D60BA87D89805
                    SHA-512:734023E4DDB70FAA0FA17618369DFC6E12F8F339C8379A6DD7E970C63F81D26696B051FDB3AC5F1C3DA8B839F6CA72FFA136E6A6DE68EC8D217C487DF8C973B7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...>.S...........!.........(............... ....@..........................p......`+.............................. ..S............0..4#...................`....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...4#...0...$..................@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmcs.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.575884773793532
                    Encrypted:false
                    SSDEEP:192:mqHOAyQoCKb8mnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArQEiz:mqu8oCNmnYPLxsSJeeMZf
                    MD5:1A3111F30421B13A73D0AC2F1082F2A1
                    SHA1:2A24CC7E20F964956D37FC545B061D26E8EE6C57
                    SHA-256:E6B27A510D171C14E51179C6E6431AD9D2459422B37EAEF995A7F9DA7472630E
                    SHA-512:F0B299B77D2236E1F25AFCE1438493F00DA23F44B981865DD584CF0CFE05D9FF9ABA4E87B7A58239D658ABD13F9475A84E6EBBAA51692434CECE41DDB564F7F8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...".S...........!......................... ....@..........................`......D............................... ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmda.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.546057542472388
                    Encrypted:false
                    SSDEEP:192:pTvipRA9BIarkGV7HcLCKbmnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAryD14uyv:pDipR7nGtHcLCpnYPLxsSJeeMPDquyv
                    MD5:9464B8932E728F256AA68E7B923D994A
                    SHA1:00B94358E6DAA5DE7C222F519BA3BCD088B2A9AF
                    SHA-256:A4EE5EDFC833C64C2ACD335B31F9A6A948312ACA1C739F54B29DE8875CFC94F5
                    SHA-512:113089106ECE7C605B00836D04D4D9C416AC4DCA8844209E86C0F95BB6E33D8CBDFE83286676FA4684D302C79D8E38BC98222EE78C9B6AD75978543AA6480957
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L...3.S...........!......................... ....@..........................`.......C.............................. ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmfi.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.515702024026845
                    Encrypted:false
                    SSDEEP:192:9Ueg+LwlNpmu7NJ01sLWCK2nYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArTdjPVw:ueg+A7z0xClnYPLxsSJeeMn
                    MD5:30E86CF4D969461A3DC7FA99C8B5C803
                    SHA1:55E495CD45A42B394899D5AC8BF4A703FE5EB35C
                    SHA-256:603DC06CCD4A030136E5A5BDE3534E4BF3FB9CE15B909C0398F198B36B134011
                    SHA-512:5EBA9BC9D5694BEBACCB48F786CB8B317297A85927C7F9430318D1FB06AD40A66B93BB513D4880B5590DEA4BDF70BFCA6EDFDC6AAFABF524061B5A4A5E6B2447
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......%............................... ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmit.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.494453984142547
                    Encrypted:false
                    SSDEEP:192:XC+s63rt0yLQv3UUCKbxnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArvTRlUoG:XCYyyLQMUC2nYPLxsSJeeM8FlG
                    MD5:C4DBFFAFA9C6C0A982DB7EED9A4724E9
                    SHA1:BB6FC89BC9B34257B057C5C4C5ABB25FEDA1C928
                    SHA-256:5EE17FC7767B4CBADD8A74F746FBDF736189663E051CCF48CBA30F712E433BC1
                    SHA-512:AEBC7556AE33CD19D1503B02E46535F8A99E7D3745D548955E1298973FA93696B61FCC3193DEA7D740AB8D557E43E089C93ACE64BFBB989CD8F0F7472DEE17DE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....S<.........................`......*;.............................. ..O............0..T............"..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...T....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmpl.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.576215841098574
                    Encrypted:false
                    SSDEEP:192:iEMmX6jN4ewTTCKbxnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArnROiU:iEy2jTTCinYPLxsSJeeMwLU
                    MD5:6206B1343320A9111CB2B89A340F318C
                    SHA1:AC6702DED634C83EA2FD658EF45F9D9936556FE9
                    SHA-256:29531C5BA169065E123CFFFA4A0A019BB4BBB4B8623A8BA5CF7A39F29D5BA69D
                    SHA-512:BCE4F2345577D6AC416F49AF537DD414F5BE657D645EBD255C42A944728235BB890F1045BD1314E69897A7FD470B2FD1C3917DC6B0BE04863D10DE87CC974AF5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......_n.............................. ..O............0..............."..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmpt.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.567562435469392
                    Encrypted:false
                    SSDEEP:192:543ucbgQj9eetC0QCKbHnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArF084k3:u3ucMQzJQConYPLxsSJeeMa3
                    MD5:88B94F5D3D56CEC8256B4FDD79034E32
                    SHA1:0E96B49FC09F0927749066BBCDD658F99B513944
                    SHA-256:7D8D06F6711ED6EE19CE3CE424FF71CB3B362E3B0D3E75DBE503C436E21D357D
                    SHA-512:5DD1954DF79B130B87E05F6896ECC3BB3CE1E6CD5991A2222D7813F6752C2BDE316EA55342BB068B1F24082596925B2AF070F41EE16C57296091BCE5634827BB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....nG.........................`.......).............................. ..O............0..@............"..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmru.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):15224
                    Entropy (8bit):5.862891427029506
                    Encrypted:false
                    SSDEEP:192:8s5If88YAFTqCKbenYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr8soSx:8sremCJnYPLxsSJeeMkoSx
                    MD5:4BE9F535194F288364465C735B09A4A1
                    SHA1:A2002E88E009357C363D5F553AB3326FFF16F6CF
                    SHA-256:F88F5F667773A17A7F98E5D61EF6386D757B82958F64EBF8EF032446FBCABE74
                    SHA-512:70DC21862480C0B80D97A3CBB606F07AEA8DB8A08058B6FE8C6EC5F91190E170D6BEE15317E86FE8A28FFE151CF133F79B48DBFFE51EF9A23DFD77B6FE340D55
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`......Ip.............................. ..O............0..P............"..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc...P....0......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmsv.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.589308801657252
                    Encrypted:false
                    SSDEEP:192:O+amEqjArP5GgMuA4CKbznYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAr2SFUNi:pamtMrspX4CInYPLxsSJeeMz9g
                    MD5:8C9CEE610E5D8EB1424DC26ADCE31D8D
                    SHA1:41AB744FEDF9B83C4B555ADE5607C13DDFD48B94
                    SHA-256:D1240AEC815097F0A6E4540E132EC943DA9FB83AB723D2E8EA79AA6611F12A5E
                    SHA-512:F2AC4A9A2176AF51514E15230BB2A61ECFF2B4D963750BA88DFAA55AE8FC89912E9454764A29D42F308DD8409EEFFCB62049932B0DAE853DD51F007BD124D97E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... .....G.........................`...................................... ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmth.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14712
                    Entropy (8bit):5.9298440906857035
                    Encrypted:false
                    SSDEEP:192:PeY/Z1ZUO0kzAVAFdI26u4RCKbtnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMArpy+O:PeY/N6kzE5RCGnYPLxsSJeeM0Yx
                    MD5:A604DF6CA05CBFE60230D3FD47CCA67D
                    SHA1:A57EFE3647653E26AEEF70C9AD15B040EF34D030
                    SHA-256:3F377A96F62A795BE6CD5EF02C82057EC712CB616F896271242823A3D2E09268
                    SHA-512:38AEBF1D739A02A36A1FF8E9299B1CABBFBCE1F4DF343C29531D7B101362063769537654B02E0CD4380B1C7F3C2C533FFDF9F7D44CBCF4968BCF2282F5CC6249
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................`...... x.............................. ..O............0............... ..x....P....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\x3fxmzh_CN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):13184
                    Entropy (8bit):6.0199715970332806
                    Encrypted:false
                    SSDEEP:192:ITVGUKkxDNb+pCKbSnYe+PjPBr7ahPO/d3BNJzr9ZCspE+TMAriPrpV:mc27bmCdnYPLxsSJeeMftV
                    MD5:813D1C039053BA2717151D0009BC1D86
                    SHA1:915C26B3AB8E9C731532CA3AD6E3B08BBD139F57
                    SHA-256:ACD7F20443909FD7DDC51A3C356E1CBC2FB4435FFA181044F13F06D8E2FA0869
                    SHA-512:34A288D3326A1A37AFE0CE3722CE4811CA9D0E4A59EF82CACA764E72908452E9FD2140C4B3D706F33592B8AF869F38EBB7C7EF180E20FDDA5CE7790CED689E36
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.Ye..Ye..Ye..~.c.Xe..~.w.Xe..~.q.Xe..~.u.Xe..RichYe..........PE..L.....S...........!......................... ....@..........................P.......2.............................. ..R............0.......................@....... ...............................................................................text...&........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\xerces-c_2_1_0.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2023424
                    Entropy (8bit):5.491814656459604
                    Encrypted:false
                    SSDEEP:49152:JpheCjBaJXjpLBvOIcNeS2UZ/nAFc3IF9MVOzNAZHQcOulOv3x/F42H0YV:S6OwOv3lF4
                    MD5:8CC50B54F9C4E8D3260287E8B3C64679
                    SHA1:0E0240F88A226343F3C884C38B255CA79AF4C40E
                    SHA-256:D9C588CDCC8715FB2E61C4A53C735C0B140881447CF8019DF824F9F5CC73A480
                    SHA-512:25E74A752A1CB0668A0FADE9E0B7E4D19726C450C1EF059CE672BA650E8D4712119EC72E2268C34F804CBECB07D14DCC4AE5082436A2665CF02078D24DEF3B3A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................,.............,......,.....C...........,......,......,......,.....Rich...................PE..L....xhM...........!.........0.......X...............................................e..............................0...........x........>.......................... ...............................8...@...........L................................text............................... ..`.rdata...v..........................@..@.data...\....0.......0..............@....idata..4...........................@....rsrc....>.......@..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\HFI9886.tmp.html

                    Download File
                    Process:C:\1adc35b2a430ffb6f8fdcb\Setup.exe
                    File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):16118
                    Entropy (8bit):3.6434775915277604
                    Encrypted:false
                    SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                    MD5:CD131D41791A543CC6F6ED1EA5BD257C
                    SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                    SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                    SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                    Malicious:false
                    Reputation:low
                    Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                    C:\Users\user\AppData\Local\Temp\HFIA192.tmp.html

                    Download File
                    Process:C:\1adc35b2a430ffb6f8fdcb\Setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7062
                    Entropy (8bit):3.6341910087195983
                    Encrypted:false
                    SSDEEP:48:35dffWK03KGU85dSK45u+5LJBPq5vL45H+508K03KGJRE85P29bZf6H5MPzr5KmV:rKzKYLSIOSQbSVSjuumGlAzWv
                    MD5:382BABBBBA746BAB0512D12927246C35
                    SHA1:A55B89161617872DCFFB060C6F1308CF862866D7
                    SHA-256:D8F5A207CC4706EFFFEDB059CFC0ABC2EBBE54CF9D36663F20C08E5601FAE677
                    SHA-512:49104D44406F7C4BCE29B50A003513B3CE6157FAE7AECE8A775E3BF576E3E7DBA0B1C52AE97D54C0416B84A7CBFC66BF4A808CB66701FBB500AE547A01FF9CD1
                    Malicious:false
                    Reputation:low
                    Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.9./.3.0./.2.0.2.4.,. .7.:.4.6.:.6.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.9./.3.0./.2.0.2.4.,. .7.:.4.6.:.6.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.9./.3.0./.2.0.2.4.,. .7.:.4.6.:.6.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.r.e.d...c.a.

                    C:\Users\user\AppData\Local\Temp\MSI23660.LOG

                    Download File
                    Process:C:\Windows\SysWOW64\msiexec.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):756
                    Entropy (8bit):3.7326049163734645
                    Encrypted:false
                    SSDEEP:12:Qw5U3zfU1XQ9F5Tvvg8gfLl2lLBGLGUMXFYelmSTMlWlKUFlCKIQUv:QkU3YKvnURKVGLG3XFjmYkWQUFha
                    MD5:41423B92DA7CE5F19DA48304B2640C1A
                    SHA1:C31E588FF3F660976B3A1D57ED7F3619B2CD46E6
                    SHA-256:B36249B42BD2167F8D3908D4002CC3CD36385B24BE092CEDAC7613A27F7C97B8
                    SHA-512:52D1ED54B808ADCDBD6A44FE18422348FA77692517163F307CEBBE27255EE0747866490E8E894B6A9B15F5D798EC17CE070C559B5543B80E25B63380FC10AEB3
                    Malicious:false
                    Reputation:low
                    Preview:..E.r.r.o.r. .1.9.3.5... .A.n. .e.r.r.o.r. .o.c.c.u.r.r.e.d. .d.u.r.i.n.g. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .a.s.s.e.m.b.l.y. .c.o.m.p.o.n.e.n.t. .{.9.7.F.8.1.A.F.1.-.0.E.4.7.-.D.C.9.9.-.A.0.1.F.-.C.8.B.3.B.9.A.1.E.1.8.E.}... .H.R.E.S.U.L.T.:. .0.x.8.0.0.7.0.4.2.2... .a.s.s.e.m.b.l.y. .i.n.t.e.r.f.a.c.e.:. .I.A.s.s.e.m.b.l.y.C.a.c.h.e.I.t.e.m.,. .f.u.n.c.t.i.o.n.:. .C.o.m.m.i.t.,. .a.s.s.e.m.b.l.y. .n.a.m.e.:. .M.i.c.r.o.s.o.f.t...V.C.8.0...A.T.L.,.v.e.r.s.i.o.n.=.".8...0...5.0.7.2.7...4.0.5.3.".,.p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".1.f.c.8.b.3.b.9.a.1.e.1.8.e.3.b.".,.p.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.=.".x.8.6.".,.t.y.p.e.=.".w.i.n.3.2.".....=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.0./.0.9./.2.0.2.4. . .0.7.:.4.5.:.5.7. .=.=.=.....

                    C:\Users\user\AppData\Local\Temp\MSI2bf57.LOG

                    Download File
                    Process:C:\Windows\SysWOW64\msiexec.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (369), with CRLF line terminators
                    Category:dropped
                    Size (bytes):744
                    Entropy (8bit):3.7028966862143835
                    Encrypted:false
                    SSDEEP:12:Qw5Hk3zfU1XQ9oSHLGUnFYelmSTMlWlKULurH/Qdc1Ll2lLrGa28vvg8gN9:QkHk3YKoSHLG8FjmYkWQUcHg0RKOaVna
                    MD5:B4E9A4EB01FA526278090AC87238E31B
                    SHA1:99F52F221D26DB8D5B9A08253BE563EE8446B906
                    SHA-256:D8E0451EADD200C3430F7F340A6C9271C8FD855950BF41D859C9C033840DD8AA
                    SHA-512:6EF74AAC7C216CCCF47DC16142D5D1D3C0E3F7D0347DB9E6B4385A436B3439993951E0E871542F877C8D32D36D345AF2B825FD26320268383F938C243A7007A6
                    Malicious:false
                    Reputation:low
                    Preview:..E.r.r.o.r. .1.9.3.5...A.n. .e.r.r.o.r. .o.c.c.u.r.r.e.d. .d.u.r.i.n.g. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .a.s.s.e.m.b.l.y. .'.M.i.c.r.o.s.o.f.t...V.C.8.0...C.R.T.,.v.e.r.s.i.o.n.=.".8...0...5.0.7.2.7...7.6.2.".,.p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".1.f.c.8.b.3.b.9.a.1.e.1.8.e.3.b.".,.p.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.=.".x.8.6.".,.t.y.p.e.=.".w.i.n.3.2.".'... .P.l.e.a.s.e. .r.e.f.e.r. .t.o. .H.e.l.p. .a.n.d. .S.u.p.p.o.r.t. .f.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n... .H.R.E.S.U.L.T.:. .0.x.8.0.0.7.0.4.2.2... .a.s.s.e.m.b.l.y. .i.n.t.e.r.f.a.c.e.:. .I.A.s.s.e.m.b.l.y.C.a.c.h.e.I.t.e.m.,. .f.u.n.c.t.i.o.n.:. .C.o.m.m.i.t.,. .c.o.m.p.o.n.e.n.t.:. .{.9.8.C.B.2.4.A.D.-.5.2.F.B.-.D.B.5.F.-.A.0.1.F.-.C.8.B.3.B.9.A.1.E.1.8.E.}.....

                    C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240930_074606050.html

                    Download File
                    Process:C:\1adc35b2a430ffb6f8fdcb\Setup.exe
                    File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (355), with CRLF line terminators
                    Category:dropped
                    Size (bytes):73802
                    Entropy (8bit):3.685512131449364
                    Encrypted:false
                    SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHd+6kCC9WxQEAHx6ybI/ip:fdsOTLyUFJFEWUxFzv9nQbR6yUip
                    MD5:F72D8104EE14292D0C840548D0CD479E
                    SHA1:FE7714091CD71046196DF58AAA3578F7A53C0B72
                    SHA-256:B661C11B8F90C9F38E6858FE1C4FCC13AFB76F892572EA8D4FD52591E7E91946
                    SHA-512:256BC2D34F66DE1BB73CDEB88075C041018280DDE1885EE41D0005C417E4C7EBAD062F8BB47B36837BE5CEF2E3AAA022D55D25FB27AD97B6E9751642014EC5C4
                    Malicious:false
                    Reputation:low
                    Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4995416
                    Entropy (8bit):7.998905724333139
                    Encrypted:true
                    SSDEEP:98304:TsPj6quMBYyuSFOMKykvYgS/ylTpHufHMpPbOZ39c7T3eeom2vJtPShg:wPjzayuSgMKykQgSaTkvMxEYT3OfPShg
                    MD5:CEDE02D7AF62449A2C38C49ABECC0CD3
                    SHA1:B84B83A8A6741A17BFB5F3578B983C1DE512589D
                    SHA-256:66B797B3B4F99488F53C2B676610DFE9868984C779536891A8D8F73EE214BC4B
                    SHA-512:D2D99E06D49A5990B449CF31D82A33104A6B45164E76FBEB34C43D10BCD25C3622AF52E59A2D4B7F5F45F83C3BA4D23CF1A5FC0C03B3606F42426988E63A9770
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................L.......... ..................................................."L.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............K.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):50449456
                    Entropy (8bit):7.999857855558976
                    Encrypted:true
                    SSDEEP:1572864:cAVBjIQSzQe3cf7xOCHKYrLn+XxdjrALIjOqWY99:VVBIbzQe3u7KYrCDS9299
                    MD5:251743DFD3FDA414570524BAC9E55381
                    SHA1:58DA3D74DB353AAD03588CBB5CEA8234166D8B99
                    SHA-256:65E064258F2E418816B304F646FF9E87AF101E4C9552AB064BB74D281C38659F
                    SHA-512:241BA3F82F37818407BC00909C160B653B45A1A3D156E043B87BA18A7819294716705C952C7B46516C4AFD86E6F99BAD23E7235B951A371AE6728107F19E5F23
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@............@...... ..................@.......D...........................p.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2585872
                    Entropy (8bit):7.976224453143546
                    Encrypted:false
                    SSDEEP:49152:nKiC/rk62xWNol+5gOsLO66qJ6021cJjLtk4pWGNG5VGFPNqJyoTL:orZ23AbsK6Ro022JjL2WEiVqJZL
                    MD5:342F79337765760AD4E392EB67D5ED2C
                    SHA1:8318455B36BA0A748307459279D46F2F4CDB5A0E
                    SHA-256:69B61B2C00323CEA3686315617D0F452E205DAE10C47E02CBE1EA96FEA38F582
                    SHA-512:70F32D415C70A97EECF0280EE9E6B10DB8F367EECFEDD92FCA6155A7DB19A776D2A96D5FCDBDE847036F4D7CF2E69B1D6DF6C073025582097F28C71F607B7E12
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ................................(.......... .....................................0............Z'..............!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...0.........&.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{98C2B127-189A-4154-8F39-C7E64851A458}\SSCERuntime_x64-ENU.msi

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft SQL Server Compact, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, AMD64, Comments: This installer database contains the logic and data required to install Microsoft SQL Server Compact 3.5 SP2 x64 ENU., Template: AMD64;1033, Revision Number: {A8561516-5654-439F-A50C-2E84B389C11D}, Create Time/Date: Fri Feb 12 02:45:46 2010, Last Saved Time/Date: Fri Feb 12 02:45:46 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML v3.0.2921.0, Security: 2
                    Category:dropped
                    Size (bytes):3653120
                    Entropy (8bit):7.568022930231712
                    Encrypted:false
                    SSDEEP:98304:68MMvEYUdJk8yjRdeimsJhMfePVtQTMNdF:6ku0+DqIePPd
                    MD5:558F4EC3B1D25761399A81D3F14BDB6D
                    SHA1:A860CD0D9C39E8A8A756D1C5AC79DD08B610F958
                    SHA-256:FCC1110C9AD0FB3E2F8787103A2A7549C16B0935E1808C2EE1EA016149FA08B8
                    SHA-512:FF05AE0428B7880651B71F8E148E73828C83470B614045C2BECABBBAEB870D41BFA5DE049F00B148949DE5B21E80C72B76DD04DD31E9017EC3E2044508799003
                    Malicious:false
                    Reputation:low
                    Preview:......................>...................8............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft SQL Server Compact, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Intel, Comments: This installer database contains the logic and data required to install Microsoft SQL Server Compact 3.5 SP2 ENU., Template: Intel;1033, Revision Number: {84395861-2117-43CE-9029-6D1A73F6929A}, Create Time/Date: Fri Feb 12 03:19:10 2010, Last Saved Time/Date: Fri Feb 12 03:19:10 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML v3.0.2921.0, Security: 2
                    Category:dropped
                    Size (bytes):3164160
                    Entropy (8bit):7.4672036886736395
                    Encrypted:false
                    SSDEEP:49152:zfii8t59kIUvtcaLotZgA0fRHCUsmZ/Aus1e7J/VoNxvrIQ2pjEQpF:zfii8t59QzotZp/oZCG9oNZIH
                    MD5:86AF6D36DFF214718DCD35D851249D3D
                    SHA1:286A78FAAE68FCBA8FBA4EDCD9FA201DE1F25D12
                    SHA-256:99B5F0C1CC7FE40120A36FB760CC7C646EDEF5916695D6ECD8D41E8BBA9B1C60
                    SHA-512:3642157F27BB4840A69DCB7CBD7298CF0865736E0A5C728FFC37330814BCB42D565C936432DE4D87D361E3F42CAC0B1872DB7712A211333B5307ACF1BBDF6ABB
                    Malicious:false
                    Reputation:low
                    Preview:......................>...................1...........................................................................................................................................................................................................................+...,.......................................................................................................................................................................................................................................................B...I................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Create Time/Date: Thu Jun 19 07:52:58 2014, Name of Creating Application: Windows Installer XML v2.0.3116.0 (candle/light), Title: Installation Database, Subject: SAP Crystal Reports runtime engine for .NET Framework (32-bit), Author: SAP, Keywords: Crystal Reports, .NET, Comments: This installer database contains the logic and data required to install SAP Crystal Reports runtime engine for .NET Framework (32-bit)., Template: ;1033, Last Saved By: alessandrom, Revision Number: {6D9975D3-DAE5-42E5-9C3E-70CE836D947D}, Last Saved Time/Date: Wed Mar 10 11:38:59 2021, Number of Pages: 200, Number of Words: 2, Security: 1
                    Category:dropped
                    Size (bytes):78157312
                    Entropy (8bit):7.977283484421576
                    Encrypted:false
                    SSDEEP:1572864:rFYgUSDSOmat2rB//ptrzKtwEzzKsOesWzxTagjmtTyh:rFvUSDS6t2rB//pN2tZPHOePtgT
                    MD5:B4179D86C2E9A9366B3B03730C83425D
                    SHA1:054F18D77B3D8E1C4355BAC5A2A60A5CA57AF17D
                    SHA-256:6E11C90F6F0AAA498FAC78676F2C0B62102F17160458339673A4787A2770B777
                    SHA-512:25C89124D6102900E0C1D7F17AD8EEA9872818DFE71BF03EF205705AED559F3F802985312815177696481D927D85EE727D02F7AF19BEBC64FDEE56438D842B7F
                    Malicious:false
                    Reputation:low
                    Preview:......................>............................................6..................}.......................................................................^.......u.................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6...............................E.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):126116296
                    Entropy (8bit):7.99889806836837
                    Encrypted:true
                    SSDEEP:3145728:JVYzmAbltbqhdNe6Qjp1vLe8nn2V961F/toNk:czXxQhbeXXe8nn2X63to2
                    MD5:94498086DC1825A3AF3044BE5F4B5E92
                    SHA1:878E3749C0A461B48A1CD39BB969DECDC96D1155
                    SHA-256:AC6AABEBAEFD96FF42C0BABCFC195A5810A0D5DBD2AF52932B2199BCCE6A29C2
                    SHA-512:A09E1412AE33E4B195663B30CC1CCB0B0648ADD09EF51D8D4B6B05E458114AF405F2678C6037D444E7E09752AA34336ACA0751F6413D79956E29491A533F22A6
                    Malicious:true
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D9.[.Xh..Xh..Xh......Xh......Xh....Xh....Xh../...Xh...BXh../...Xh..Xi..Yh.....@Xh......Xh..X...Xh......Xh.Rich.Xh.................PE..L....7.].................>...R.......l.......P....@..........................@......].....@..........................................................N..............Y..8...........................`...@............P...............................text...)<.......>.................. ..`.rdata.......P.......B..............@..@.data........@...(...$..............@....rsrc................L..............@..@.reloc...y.......z..................@..B................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Setup_20240930_074603894.html

                    Download File
                    Process:C:\1adc35b2a430ffb6f8fdcb\Setup.exe
                    File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (321), with CRLF line terminators
                    Category:modified
                    Size (bytes):29270
                    Entropy (8bit):3.7112639989866083
                    Encrypted:false
                    SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjRhti6kCC9T:fdsOT01KcBUFJFEWUxFzvHd+6kCC9T
                    MD5:ACE46C166526B55959E52988CF774FB5
                    SHA1:9EAAD0B0D5FE2B2A0F62CF9C23127090F9EAA5EA
                    SHA-256:C88B7B6EAF47140030DCAEF83DC46D282F9E176CD8B39056FB07E5A54A8AF534
                    SHA-512:0C83995BE6A1BE45F26FD3DC536BFAFF7F31B07FC7049100E660F5ECBD7E963950858EE46C40A839BC5FD625C6BAB35074504F2A50DAD823D1D36F2770E907FA
                    Malicious:false
                    Reputation:low
                    Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                    C:\Users\user\AppData\Local\Temp\_is402B..dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2692096
                    Entropy (8bit):6.367576604518959
                    Encrypted:false
                    SSDEEP:49152:XUHIvtEE5zNUJdxiAgW088rgWpha4T36vt:USzNydmW081+hd3Q
                    MD5:8BF15E660B8A5A779B2E4A6C91C3CB7D
                    SHA1:82C36A1B15D9683E1957EBC2B5AF44F6923B6C3D
                    SHA-256:89B6BD41A5298121135DC9E7705BD382D2CC934BE0C38DEE8DD232E64789114C
                    SHA-512:BAB174AD306257752FF4D5F49FF8881D0BD0F8442A540A80BC0F02BA7E6A35A2F4C263F49CF1282FDFD0374E478E658AB9EA81C0339E303046B86BFE36F09053
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.).?.z.?.z.?.z.G.z.?.z.T.{.?.z.T.{.?.z.T.{.?.z.?.zZ>.z.T.{.?.z.T.{.?.z.T.{.?.z.Tiz.?.z.T.{.?.zRich.?.z........PE..L...0.>............!......%...........%.......%...............................).......)...@A..........................%..$..d7&......p&.......................'........T...........................(................0&.`............................text.....%.......%................. ..`.data...tS....%.."....%.............@....idata...2...0&..4....%.............@..@.rsrc........p&.......&.............@..@.reloc........'...... '.............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\_isA398..dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2692096
                    Entropy (8bit):6.367576604518959
                    Encrypted:false
                    SSDEEP:49152:XUHIvtEE5zNUJdxiAgW088rgWpha4T36vt:USzNydmW081+hd3Q
                    MD5:8BF15E660B8A5A779B2E4A6C91C3CB7D
                    SHA1:82C36A1B15D9683E1957EBC2B5AF44F6923B6C3D
                    SHA-256:89B6BD41A5298121135DC9E7705BD382D2CC934BE0C38DEE8DD232E64789114C
                    SHA-512:BAB174AD306257752FF4D5F49FF8881D0BD0F8442A540A80BC0F02BA7E6A35A2F4C263F49CF1282FDFD0374E478E658AB9EA81C0339E303046B86BFE36F09053
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.).?.z.?.z.?.z.G.z.?.z.T.{.?.z.T.{.?.z.T.{.?.z.?.zZ>.z.T.{.?.z.T.{.?.z.T.{.?.z.Tiz.?.z.T.{.?.zRich.?.z........PE..L...0.>............!......%...........%.......%...............................).......)...@A..........................%..$..d7&......p&.......................'........T...........................(................0&.`............................text.....%.......%................. ..`.data...tS....%.."....%.............@....idata...2...0&..4....%.............@..@.rsrc........p&.......&.............@..@.reloc........'...... '.............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\extE614.tmp

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Generic INItialization configuration [Dialog1001]
                    Category:dropped
                    Size (bytes):4533
                    Entropy (8bit):4.939578182564759
                    Encrypted:false
                    SSDEEP:48:zWq2or3ynA0KA07bjaNebeMFFVeag8TYbbtIeEAVki4X2iy5IfsMnV6LQdQ9DPgc:Kq2orCnavjaYCdaMd1scMeJgocuEaegn
                    MD5:414378BEE661B0DF11BDB2BE32E15B84
                    SHA1:B14FD9207864D6053B2CB099736B4DAFC2084AF4
                    SHA-256:F9EFB3E6FE099C649FB4CC20AC6F9B7E90D3F60B8D98F48FB5D167F1A0B1B7F2
                    SHA-512:F042D5A58C5F4D6DEE054EEBC9270619A79318BDBAEEB9CD23969ABA09D4EF1BCA77A139C08AF718672EC87B7ADBD6EF0E4BFEDDC1A03E559EAC91763D9361DD
                    Malicious:false
                    Reputation:low
                    Preview:[Dialog1000]..100=Welcome to the InstallShield Wizard for %s..101=The InstallShield Wizard(TM) will help install %s on your computer. To continue, click Next.....[Dialog1001]..0=License Agreement..1=Please read the following license agreement carefully...121=I &accept the terms in the license agreement..122=I &do not accept the terms in the license agreement....[Dialog1002]..0=Location to Save Files..1=Where would you like to save your files?..101=Please enter the folder where you want these files saved. If the folder does not exist, it will be created for you. To continue, click Next...102=&Save files in folder:..103=&Change.......[Dialog1003]..0=Password..1=This package has been password protected...106=&Password:..107=Enter the password to required to run this package. Please note that passwords are case sensitive. Click Next to continue.....[Dialog1004]..0=Overwrite Protection..2=Cancel..109=&Yes..110=&No..111=Y&es to All..112=N&o to All..113=The following file is already on

                    C:\Users\user\AppData\Local\Temp\pftF363~tmp\pftw1.pkg

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Microsoft Cabinet archive data, many, 263286643 bytes, 7 files, at 0x2c +A "\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" +A "\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe", ID 12345, number 1, 8213 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):263286643
                    Entropy (8bit):7.99984455167495
                    Encrypted:true
                    SSDEEP:6291456:/sEIqHXzwjKfjiNhiWTAMG/3ULtZi7QqX3QxnG+GNgM:tIqjwGfeNhiwlG/UjsQnxG++H
                    MD5:C9D73CC0BD228BA5AD235B110FA4E504
                    SHA1:09872FF88E6D1C1EEE4C007865D0A0D6EE49B2F6
                    SHA-256:5B78C376C41653402434817C8689DE68F48F09CB59EEEE1C7977421C58A9D402
                    SHA-512:52E3D5AA82306497D57CAC32C380086550B5C3178A0FD524A9B21B67EF46D5246933B6AB3BAA75F7965AECBA64FB791E29D314B7FC98C58732E7019EECA5C0BC
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....so......,...............90....... ..X9L.......lD. .\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe.0...X9L...0Pzv .\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe..u'...N...0P@v .\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe...7..zu...0P.v .\ISSetupPrerequisites\{98C2B127-189A-4154-8F39-C7E64851A458}\SSCERuntime_x64-ENU.msi......8....jR.d .\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi..H0...U...0P.v .\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi..a........?X'I .\setup.exe..6..CH..CK.{|..(.z.-..l...:1.$...0.l'. .H8.8.....k..im.Y..j.MO....R(.7.IOi.+...9~@Jx..R.n.i....b..{...,..........hf...|.3..._.4.Ei!H.E......?...a.#..I...X5.....fU...f.sY.V.[....^UV...k..y.mY._]5555yR.....s.........I...!y.;........?[:...ra.o...BQ.U.j.....SST..T#<...U..!H.U$..(..`

                    C:\Users\user\AppData\Local\Temp\plfE613.tmp

                    Download File
                    Process:C:\Users\user\Desktop\download\optojumpnext.exe
                    File Type:Generic INItialization configuration [Dialog1001]
                    Category:dropped
                    Size (bytes):4533
                    Entropy (8bit):4.939578182564759
                    Encrypted:false
                    SSDEEP:48:zWq2or3ynA0KA07bjaNebeMFFVeag8TYbbtIeEAVki4X2iy5IfsMnV6LQdQ9DPgc:Kq2orCnavjaYCdaMd1scMeJgocuEaegn
                    MD5:414378BEE661B0DF11BDB2BE32E15B84
                    SHA1:B14FD9207864D6053B2CB099736B4DAFC2084AF4
                    SHA-256:F9EFB3E6FE099C649FB4CC20AC6F9B7E90D3F60B8D98F48FB5D167F1A0B1B7F2
                    SHA-512:F042D5A58C5F4D6DEE054EEBC9270619A79318BDBAEEB9CD23969ABA09D4EF1BCA77A139C08AF718672EC87B7ADBD6EF0E4BFEDDC1A03E559EAC91763D9361DD
                    Malicious:false
                    Reputation:low
                    Preview:[Dialog1000]..100=Welcome to the InstallShield Wizard for %s..101=The InstallShield Wizard(TM) will help install %s on your computer. To continue, click Next.....[Dialog1001]..0=License Agreement..1=Please read the following license agreement carefully...121=I &accept the terms in the license agreement..122=I &do not accept the terms in the license agreement....[Dialog1002]..0=Location to Save Files..1=Where would you like to save your files?..101=Please enter the folder where you want these files saved. If the folder does not exist, it will be created for you. To continue, click Next...102=&Save files in folder:..103=&Change.......[Dialog1003]..0=Password..1=This package has been password protected...106=&Password:..107=Enter the password to required to run this package. Please note that passwords are case sensitive. Click Next to continue.....[Dialog1004]..0=Overwrite Protection..2=Cancel..109=&Yes..110=&No..111=Y&es to All..112=N&o to All..113=The following file is already on

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\0x0409.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                    Category:dropped
                    Size (bytes):22480
                    Entropy (8bit):3.4851320007899904
                    Encrypted:false
                    SSDEEP:384:CTmyuV//BiTbh/YgAwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/t/lWr0aa0Mhs+XVgv
                    MD5:A108F0030A2CDA00405281014F897241
                    SHA1:D112325FA45664272B08EF5E8FF8C85382EBB991
                    SHA-256:8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948
                    SHA-512:D83894B039316C38915A789920758664257680DCB549A9B740CF5361ADDBEE4D4A96A3FF2999B5D8ACFB1D9336DA055EC20012D29A9F83EE5459F103FBEEC298
                    Malicious:false
                    Reputation:low
                    Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Crystal Reports 10.0.10.prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):896
                    Entropy (8bit):5.51342527054661
                    Encrypted:false
                    SSDEEP:24:2dXSj1UIV1WjofcrG4ommcZqgzo74N76RJUAi:cm1UI6ofcrGcmcZhzoEN76PUAi
                    MD5:19418F08C8A07B4401949804314A2FD9
                    SHA1:FE0072EB8BAA1AB7E1B667B935ED4E7C0A7223FD
                    SHA-256:2BE2D595E3868DDE3000E8111A82553D6FC6AA3CD6F6B53FC52B3E721826C88A
                    SHA-512:FB73757BF9EB556A6AF4C8468540D97E759B93FEAC6126C63A4ACF4A1234E9F97FCE6D5DF29C5E621838ECEC45B22BAEB7835E867D340142A2D7D1DE8FAF08E9
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="1" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A10D640-13F1-4A13-BAD1-3E3790511B17}" FileName="" ReturnValue=""></condition>...</conditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\CrystalReports10_10\CRRuntime_32bit_13_0_10.msi" FileSize="0,78157312"></file>...</files>...<execute file="CRRuntime_32bit_13_0_10.msi" cmdline="/qn /norestart" cmdlinesilent="/qn /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{a0689fe9-3467-4d73-bc25-d0f696ad268a}" Description="This prerequisite installs SAP Crystal Reports runtime engine for .NET Framework for x86-based systems, which you must obtain from Crystal Reports."></properties>...<behavior Reboot="32"></behavior>..</SetupPrereq>..

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Microsoft .NET Framework 4.0 Full.prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (304), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2578
                    Entropy (8bit):5.315252267182117
                    Encrypted:false
                    SSDEEP:48:cmSUIY0jue1ns9nha9nhmR9ntl9ntY9nE9nhZ9ntm9ntb9nb5eoEEiI+JbzoHR70:+rY0Kans9nha9nhq9n39n+9nE9nhZ9n/
                    MD5:3E83DA0D982491ECF42FFD4E3B703BB4
                    SHA1:F7F6CF9806A9EE882B89E954158C62C25A6855FE
                    SHA-256:72F503001EB474D40995246C7C3857CAB8203A2A59F9E07A1BCC58EC45F2AC3B
                    SHA-512:76D5EB703EAA2F4DF5F0462F474D83AB9E8BF6A18C1FDD20498B2D77AB2BC4A209B1BD6C3F1324BCF72582450CF953B67D65EDFEB7548B71FD0D12DD0696480A
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="2" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" FileName="Install" ReturnValue="1"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1" ServicePackMajorMin="2"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2|3" ServicePackMajorMin="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="1" Product

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Microsoft SQL CE 3.5 SP2 (x64).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2381
                    Entropy (8bit):5.2467107226891025
                    Encrypted:false
                    SSDEEP:48:3JUILbsMnQb+rnhmRrntmrnhmrnbrntbrnqfrnjdrnAmGk32T/FbzuON78wMZ:ZrLbsMno+rnhqrnYrnhmrnbrnRrnqfrJ
                    MD5:3A8F965049D9BED62AF89155A97D8DC0
                    SHA1:9EA603C6BA14111356826B1F89DEFBFED8ECD1AA
                    SHA-256:F1C0A418E5A6D5EBFF6588E22F23F20B25846EC7EACC1327ABD6F4D85A04D1CD
                    SHA-512:A938DAE2E20027E3D231045A80E09B1E4D32C80C0A0167C25AEF1E336DB2FA271EE419B6F4E0E64790911279F6D519D4526A85F32A4797593047A9E4DCABDF96
                    Malicious:false
                    Reputation:low
                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<SetupPrereq>.. <conditions>.. <condition Type="32" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU" FileName="DesktopRuntimeVersion_x64" ReturnValue="3.5.8080.0"></condition>.. </conditions>.. <operatingsystemconditions>.. <operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="1"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="4"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="2|3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" Bits=

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Microsoft SQL CE 3.5 SP2 (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):984
                    Entropy (8bit):5.6077986622519225
                    Encrypted:false
                    SSDEEP:24:2dXSjbUILemb3qj0V6j0Y6jookZTlVaoQjJqd4zu739778eUK:cmbUILbeueReoV/MbzuJ7782
                    MD5:F61C9D8CF21C5764384B0CA76CECF3A2
                    SHA1:4B172EA8A52B1CAAF6954726F0552ABBBA6273DE
                    SHA-256:E5556A583919A693864AF77FFD718719E90DABC715FE6028720470096F2D9B10
                    SHA-512:C6A8C073EAA7D9D062D70D22889A6406B81640C1FCD361A1BDBC43D8B38483D62B095A7F8199BBA7D62568C5741366B444DEE6F67A9066DA8A1FDB1C369EAE35
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="32" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU" FileName="DesktopRuntimeVersion" ReturnValue="3.5.8080.0"></condition>...</conditions>...<operatingsystemconditions>...</operatingsystemconditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\SQL CE 3.5\SSCERuntime_x86-ENU.msi" URL="http://go.microsoft.com/fwlink/?LinkId=166085&amp;clcid=0x409" CheckSum="86AF6D36DFF214718DCD35D851249D3D" FileSize="0,3164160"></file>...</files>...<execute file="SSCERuntime_x86-ENU.msi" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010,4123" requiresmsiengine="1"></execute>...<properties Id="{B1165B38-CA52-11E0-A63D-7C004824019B}" Description="This prerequisite installs the Microsoft SQL Server Compact 3.5 SP2 (x86)."></properties>...<behavior Reboot="2"></behavior>..</SetupPrereq>

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Microsoft Visual C++ 2010 SP1 Redistributable Package (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2068
                    Entropy (8bit):5.4203888791670005
                    Encrypted:false
                    SSDEEP:48:cT1UIaue1nK4Ynt/Ynh9Ynt4Yn+4YnQbjYnqGYnjgYnA0eomIbJ26eLJZQ78P72u:MrDanK1nCnhCnrn+1noUnqXnj9n37mIU
                    MD5:75C700689358F7AE2E03CB0E87C25EB7
                    SHA1:559759A87AB6D57C07B7D5E2A9372E15E7D2897D
                    SHA-256:9824AFC7876CAAD71A62C9040D776EF1B7CCF2FBC140F84CF8B4679BD9A10770
                    SHA-512:7633A104073F465577D1904FA3C906EB553E89FC36E654B1CEBCE25C99C203361CD2CE8D521B9BF1ABEF66D0F099122C2493C7F43AB94F2C25F94A0A01F1B57D
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<SetupPrereq>...<properties/>...<conditions>....<condition Type="1" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" FileName="" ReturnValue=""/>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1" ServicePackMajorMin="1"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion=""/>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" ProductType="2|3"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" ProductType="2|3"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" ProductType="1"/>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" Servi

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Setup.INI

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\Windows Installer 3.1 (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (371), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1597
                    Entropy (8bit):5.3381529175986335
                    Encrypted:false
                    SSDEEP:48:cmx7JdOue1nQb+9n6R9nhL5eofOl+nln6l1Xz0ws737JI:t7Pano+9nu9nhL57S+lnW1j0DW
                    MD5:00BA1D21ED4422DCD63A8B5583D379F3
                    SHA1:7B41D2E4D5CBE0B7D73CD69C6A651A19C38E5ABE
                    SHA-256:E2620A4DD3BA69B294A7018937FDF5C3951161D4FFBEA0A6A9A9E6367BC22B29
                    SHA-512:189902E13F0C8DCB3CE4819F27A566C50FDF3641A6F7B27122BBA96CFD47B2424AAEC197F6524FAA1E805B9352762096B16574BDA8BE7095CC2E38E94972A004
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="16" Comparison="2" Path="[SystemFolder]" FileName="msi.dll" ReturnValue="3.1.4000.2435"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2|3" ServicePackMajorMax="0"></operatingsystemcondition>...</operatingsystemconditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\Windows Installer\3.1\x86\WindowsInstaller-KB893803-v2-x86.exe" URL="http://saturn.installshield.com/devstudio/setuprequirements/msi31/WindowsInstaller-KB893803-v2-x86.exe" FileSize="0,0"></file>...</

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\_ISMSIDEL.INI

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2600
                    Entropy (8bit):3.7457412406084516
                    Encrypted:false
                    SSDEEP:48:ra9L1aoB9L18o59L1j619L1T6B9L1C9L1y7Pl9L1i7PE+9L1JW9L1yb9L1Kf:r7oSotDYDA
                    MD5:898E39F251568FB905610111C7AB7F69
                    SHA1:96D3F9F03462A943626AB67F72A104EC0D67C4C2
                    SHA-256:F813B5DB58B6AC2BA3D2C448758A44EA985570123A9E88843542CC7A79E45894
                    SHA-512:23A27F0737D1118A78933F306EF73EDB59E9A46D9257A48ECEC49A50657D827689504AA99B3FF6A6EAB31F5BF220A6A7FAB4C477BB1E63F7BEA512217252B4BE
                    Malicious:false
                    Reputation:low
                    Preview:..[.F.i.l.e.s.].....0.x.0.4.0.9...i.n.i.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.5.A.D.F.3.2.2.E.-.F.4.8.3.-.4.6.6.6.-.A.C.2.C.-.0.4.C.C.4.A.5.C.E.F.1.0.}.\.0.x.0.4.0.9...i.n.i.....C.r.y.s.t.a.l. .R.e.p.o.r.t.s. .1.0...0...1.0...p.r.q.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.5.A.D.F.3.2.2.E.-.F.4.8.3.-.4.6.6.6.-.A.C.2.C.-.0.4.C.C.4.A.5.C.E.F.1.0.}.\.C.r.y.s.t.a.l. .R.e.p.o.r.t.s. .1.0...0...1.0...p.r.q.....I.S.S.e.t.u.p...d.l.l.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.5.A.D.F.3.2.2.E.-.F.4.8.3.-.4.6.6.6.-.A.C.2.C.-.0.4.C.C.4.A.5.C.E.F.1.0.}.\.I.S.S.e.t.u.p...d.l.l.....M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...0. .F.u.l.l...p.r.q.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.5.A.D.F.3.2.2.E.-.F.4.8.3.-.4.6.6.6.-.A.C.2.C.-.0.4.C.C.4.A.5.C.E.F.1.0.}.\.M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...0. .F.u.l.l...p.r.q.....M.i.c.r.o.s.o.f.t. .S.Q.L. .C.E.

                    C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):126116296
                    Entropy (8bit):7.99889806836837
                    Encrypted:true
                    SSDEEP:3145728:JVYzmAbltbqhdNe6Qjp1vLe8nn2V961F/toNk:czXxQhbeXXe8nn2X63to2
                    MD5:94498086DC1825A3AF3044BE5F4B5E92
                    SHA1:878E3749C0A461B48A1CD39BB969DECDC96D1155
                    SHA-256:AC6AABEBAEFD96FF42C0BABCFC195A5810A0D5DBD2AF52932B2199BCCE6A29C2
                    SHA-512:A09E1412AE33E4B195663B30CC1CCB0B0648ADD09EF51D8D4B6B05E458114AF405F2678C6037D444E7E09752AA34336ACA0751F6413D79956E29491A533F22A6
                    Malicious:true
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D9.[.Xh..Xh..Xh......Xh......Xh....Xh....Xh../...Xh...BXh../...Xh..Xi..Yh.....@Xh......Xh..X...Xh......Xh.Rich.Xh.................PE..L....7.].................>...R.......l.......P....@..........................@......].....@..........................................................N..............Y..8...........................`...@............P...............................text...)<.......>.................. ..`.rdata.......P.......B..............@..@.data........@...(...$..............@....rsrc................L..............@..@.reloc...y.......z..................@..B................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\0x0409.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                    Category:dropped
                    Size (bytes):22480
                    Entropy (8bit):3.4851320007899904
                    Encrypted:false
                    SSDEEP:384:CTmyuV//BiTbh/YgAwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/t/lWr0aa0Mhs+XVgv
                    MD5:A108F0030A2CDA00405281014F897241
                    SHA1:D112325FA45664272B08EF5E8FF8C85382EBB991
                    SHA-256:8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948
                    SHA-512:D83894B039316C38915A789920758664257680DCB549A9B740CF5361ADDBEE4D4A96A3FF2999B5D8ACFB1D9336DA055EC20012D29A9F83EE5459F103FBEEC298
                    Malicious:false
                    Reputation:low
                    Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Crystal Reports 10.0.10.prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):896
                    Entropy (8bit):5.51342527054661
                    Encrypted:false
                    SSDEEP:24:2dXSj1UIV1WjofcrG4ommcZqgzo74N76RJUAi:cm1UI6ofcrGcmcZhzoEN76PUAi
                    MD5:19418F08C8A07B4401949804314A2FD9
                    SHA1:FE0072EB8BAA1AB7E1B667B935ED4E7C0A7223FD
                    SHA-256:2BE2D595E3868DDE3000E8111A82553D6FC6AA3CD6F6B53FC52B3E721826C88A
                    SHA-512:FB73757BF9EB556A6AF4C8468540D97E759B93FEAC6126C63A4ACF4A1234E9F97FCE6D5DF29C5E621838ECEC45B22BAEB7835E867D340142A2D7D1DE8FAF08E9
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="1" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A10D640-13F1-4A13-BAD1-3E3790511B17}" FileName="" ReturnValue=""></condition>...</conditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\CrystalReports10_10\CRRuntime_32bit_13_0_10.msi" FileSize="0,78157312"></file>...</files>...<execute file="CRRuntime_32bit_13_0_10.msi" cmdline="/qn /norestart" cmdlinesilent="/qn /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{a0689fe9-3467-4d73-bc25-d0f696ad268a}" Description="This prerequisite installs SAP Crystal Reports runtime engine for .NET Framework for x86-based systems, which you must obtain from Crystal Reports."></properties>...<behavior Reboot="32"></behavior>..</SetupPrereq>..

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Microsoft .NET Framework 4.0 Full.prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (304), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2578
                    Entropy (8bit):5.315252267182117
                    Encrypted:false
                    SSDEEP:48:cmSUIY0jue1ns9nha9nhmR9ntl9ntY9nE9nhZ9ntm9ntb9nb5eoEEiI+JbzoHR70:+rY0Kans9nha9nhq9n39n+9nE9nhZ9n/
                    MD5:3E83DA0D982491ECF42FFD4E3B703BB4
                    SHA1:F7F6CF9806A9EE882B89E954158C62C25A6855FE
                    SHA-256:72F503001EB474D40995246C7C3857CAB8203A2A59F9E07A1BCC58EC45F2AC3B
                    SHA-512:76D5EB703EAA2F4DF5F0462F474D83AB9E8BF6A18C1FDD20498B2D77AB2BC4A209B1BD6C3F1324BCF72582450CF953B67D65EDFEB7548B71FD0D12DD0696480A
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="2" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" FileName="Install" ReturnValue="1"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1" ServicePackMajorMin="2"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2|3" ServicePackMajorMin="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="1" Product

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Microsoft SQL CE 3.5 SP2 (x64).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2381
                    Entropy (8bit):5.2467107226891025
                    Encrypted:false
                    SSDEEP:48:3JUILbsMnQb+rnhmRrntmrnhmrnbrntbrnqfrnjdrnAmGk32T/FbzuON78wMZ:ZrLbsMno+rnhqrnYrnhmrnbrnRrnqfrJ
                    MD5:3A8F965049D9BED62AF89155A97D8DC0
                    SHA1:9EA603C6BA14111356826B1F89DEFBFED8ECD1AA
                    SHA-256:F1C0A418E5A6D5EBFF6588E22F23F20B25846EC7EACC1327ABD6F4D85A04D1CD
                    SHA-512:A938DAE2E20027E3D231045A80E09B1E4D32C80C0A0167C25AEF1E336DB2FA271EE419B6F4E0E64790911279F6D519D4526A85F32A4797593047A9E4DCABDF96
                    Malicious:false
                    Reputation:low
                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<SetupPrereq>.. <conditions>.. <condition Type="32" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU" FileName="DesktopRuntimeVersion_x64" ReturnValue="3.5.8080.0"></condition>.. </conditions>.. <operatingsystemconditions>.. <operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="1"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="4"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="4" ProductType="2|3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" Bits=

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Microsoft SQL CE 3.5 SP2 (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):984
                    Entropy (8bit):5.6077986622519225
                    Encrypted:false
                    SSDEEP:24:2dXSjbUILemb3qj0V6j0Y6jookZTlVaoQjJqd4zu739778eUK:cmbUILbeueReoV/MbzuJ7782
                    MD5:F61C9D8CF21C5764384B0CA76CECF3A2
                    SHA1:4B172EA8A52B1CAAF6954726F0552ABBBA6273DE
                    SHA-256:E5556A583919A693864AF77FFD718719E90DABC715FE6028720470096F2D9B10
                    SHA-512:C6A8C073EAA7D9D062D70D22889A6406B81640C1FCD361A1BDBC43D8B38483D62B095A7F8199BBA7D62568C5741366B444DEE6F67A9066DA8A1FDB1C369EAE35
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="32" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU" FileName="DesktopRuntimeVersion" ReturnValue="3.5.8080.0"></condition>...</conditions>...<operatingsystemconditions>...</operatingsystemconditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\SQL CE 3.5\SSCERuntime_x86-ENU.msi" URL="http://go.microsoft.com/fwlink/?LinkId=166085&amp;clcid=0x409" CheckSum="86AF6D36DFF214718DCD35D851249D3D" FileSize="0,3164160"></file>...</files>...<execute file="SSCERuntime_x86-ENU.msi" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010,4123" requiresmsiengine="1"></execute>...<properties Id="{B1165B38-CA52-11E0-A63D-7C004824019B}" Description="This prerequisite installs the Microsoft SQL Server Compact 3.5 SP2 (x86)."></properties>...<behavior Reboot="2"></behavior>..</SetupPrereq>

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Microsoft Visual C++ 2010 SP1 Redistributable Package (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2068
                    Entropy (8bit):5.4203888791670005
                    Encrypted:false
                    SSDEEP:48:cT1UIaue1nK4Ynt/Ynh9Ynt4Yn+4YnQbjYnqGYnjgYnA0eomIbJ26eLJZQ78P72u:MrDanK1nCnhCnrn+1noUnqXnj9n37mIU
                    MD5:75C700689358F7AE2E03CB0E87C25EB7
                    SHA1:559759A87AB6D57C07B7D5E2A9372E15E7D2897D
                    SHA-256:9824AFC7876CAAD71A62C9040D776EF1B7CCF2FBC140F84CF8B4679BD9A10770
                    SHA-512:7633A104073F465577D1904FA3C906EB553E89FC36E654B1CEBCE25C99C203361CD2CE8D521B9BF1ABEF66D0F099122C2493C7F43AB94F2C25F94A0A01F1B57D
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<SetupPrereq>...<properties/>...<conditions>....<condition Type="1" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" FileName="" ReturnValue=""/>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1" ServicePackMajorMin="1"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion=""/>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" ProductType="2|3"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" ProductType="2|3"/>....<operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" ProductType="1"/>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" Servi

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Setup.INI

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\Windows Installer 3.1 (x86).prq

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (371), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1597
                    Entropy (8bit):5.3381529175986335
                    Encrypted:false
                    SSDEEP:48:cmx7JdOue1nQb+9n6R9nhL5eofOl+nln6l1Xz0ws737JI:t7Pano+9nu9nhL57S+lnW1j0DW
                    MD5:00BA1D21ED4422DCD63A8B5583D379F3
                    SHA1:7B41D2E4D5CBE0B7D73CD69C6A651A19C38E5ABE
                    SHA-256:E2620A4DD3BA69B294A7018937FDF5C3951161D4FFBEA0A6A9A9E6367BC22B29
                    SHA-512:189902E13F0C8DCB3CE4819F27A566C50FDF3641A6F7B27122BBA96CFD47B2424AAEC197F6524FAA1E805B9352762096B16574BDA8BE7095CC2E38E94972A004
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="16" Comparison="2" Path="[SystemFolder]" FileName="msi.dll" ReturnValue="3.1.4000.2435"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2|3" ServicePackMajorMax="0"></operatingsystemcondition>...</operatingsystemconditions>...<files>....<file LocalFile="&lt;ISProductFolder&gt;\SetupPrerequisites\Windows Installer\3.1\x86\WindowsInstaller-KB893803-v2-x86.exe" URL="http://saturn.installshield.com/devstudio/setuprequirements/msi31/WindowsInstaller-KB893803-v2-x86.exe" FileSize="0,0"></file>...</

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\_ISMSIDEL.INI

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):20
                    Entropy (8bit):2.8954618442383215
                    Encrypted:false
                    SSDEEP:3:Q+5lkrJ4l49:Q+s2l49
                    MD5:DB9AF7503F195DF96593AC42D5519075
                    SHA1:1B487531BAD10F77750B8A50ACA48593379E5F56
                    SHA-256:0A33C5DFFABCF31A1F6802026E9E2EEF4B285E57FD79D52FDCD98D6502D14B13
                    SHA-512:6839264E14576FE190260A4B82AFC11C88E50593A20113483851BF4ABFDB7CCA9986BEF83F4C6B8F98EF4D426F07024CF869E8AB393DF6D2B743B9B8E2544E1B
                    Malicious:false
                    Reputation:low
                    Preview:..[.F.i.l.e.s.].....

                    C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):126116296
                    Entropy (8bit):7.99889806836837
                    Encrypted:true
                    SSDEEP:3145728:JVYzmAbltbqhdNe6Qjp1vLe8nn2V961F/toNk:czXxQhbeXXe8nn2X63to2
                    MD5:94498086DC1825A3AF3044BE5F4B5E92
                    SHA1:878E3749C0A461B48A1CD39BB969DECDC96D1155
                    SHA-256:AC6AABEBAEFD96FF42C0BABCFC195A5810A0D5DBD2AF52932B2199BCCE6A29C2
                    SHA-512:A09E1412AE33E4B195663B30CC1CCB0B0648ADD09EF51D8D4B6B05E458114AF405F2678C6037D444E7E09752AA34336ACA0751F6413D79956E29491A533F22A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D9.[.Xh..Xh..Xh......Xh......Xh....Xh....Xh../...Xh...BXh../...Xh..Xi..Yh.....@Xh......Xh..X...Xh......Xh.Rich.Xh.................PE..L....7.].................>...R.......l.......P....@..........................@......].....@..........................................................N..............Y..8...........................`...@............P...............................text...)<.......>.................. ..`.rdata.......P.......B..............@..@.data........@...(...$..............@....rsrc................L..............@..@.reloc...y.......z..................@..B................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\~3C60.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~3C61.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~3F3F.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~3F6F.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~9F70.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~9F71.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~A29C.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\AppData\Local\Temp\~A29D.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5896
                    Entropy (8bit):3.7405231562333086
                    Encrypted:false
                    SSDEEP:96:rEhkMaE8ZMwKON/XsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAMX/:YhcLMicuQaEZhdxoIWRGcQbPr/p00506
                    MD5:079122B97B8DEF4D62B25684AD3D0C15
                    SHA1:8A4DB032A3C128FA559A3D94600AD71301642B69
                    SHA-256:BF4609BA42F50827317D8135AA6D4614F51AF7521F894E90CA89FB631243A7CF
                    SHA-512:BA479A2F3BA035D3C463CCF8ABEE35F61ECA6B814F185520B1775A22D1286FBA2898B0548B1F27D7D2E0FC865E1A6AB014B63AC4F870A5E2AA8D87C3071A3087
                    Malicious:false
                    Reputation:low
                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.0.....P.r.o.d.u.c.t.=.O.p.t.o.j.u.m.p. .N.e.x.t.....P.a.c.k.a.g.e.N.a.m.e.=.O.p.t.o.j.u.m.p. .N.e.x.t...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.Y.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.6.8.E.7.4.1.8.1.-.8.C.C.0.-.4.1.1.4.-.8.0.1.C.-.2.B.E.0.F.4.2.4.5.F.D.D.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...1.3...2.4.0.....U.p.g.r.a.d.e.C.o.d.e.=.{.4.5.8.3.D.A.8.2.-.5.E.D.9.-.4.E.E.5.-.9.C.4.D.-.6.2.6.2.C.5.1.0.F.A.F.2.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.s.e.t.u.p...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.0.4.8.7.A.D.0.2.-.A.E.1.B.-.4.2.6.B.-.9.3.F.7.-.A.E.

                    C:\Users\user\Desktop\cmdline.out

                    Download File
                    Process:C:\Windows\SysWOW64\cmd.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):405787
                    Entropy (8bit):2.2469219154186586
                    Encrypted:false
                    SSDEEP:1536:B5NRU0SEgbBOhOgPLxHaL5SsbgU6VTRBSrL0LSRsaY+UXJs+kp1v+TvfPkNuyr5b:B5NRUqzLTR0S2
                    MD5:7BAB50AB6EB6BE334178689898ED68C2
                    SHA1:C286EFF34673AB207ECAAF57BE3807D3989DB8A6
                    SHA-256:13867DAA2863C02EC29F3B8E6DB525247091F5B44426BE6BE7AB09EF98F4DC45
                    SHA-512:2D2260D7C24BB9363D3022CED31704CD3B1C61158882CF5BD8EEA3575E2085685B9B209795FAD8D74FF0824EAF7E1B32FD57EFBB702A9CEE49C09A9C5CFAFC49
                    Malicious:false
                    Reputation:low
                    Preview:--2024-09-30 07:41:02-- https://update.microgate.it/optojump/optojumpnext.exe..Resolving update.microgate.it (update.microgate.it)... 217.199.6.83..Connecting to update.microgate.it (update.microgate.it)|217.199.6.83|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 263455292 (251M) [application/octet-stream]..Saving to: 'C:/Users/user/Desktop/download/optojumpnext.exe'.... 0K .......... .......... .......... .......... .......... 0% 226K 18m58s.. 50K .......... .......... .......... .......... .......... 0% 4.21M 9m59s.. 100K .......... .......... .......... .......... .......... 0% 465K 9m43s.. 150K .......... .......... .......... .......... .......... 0% 4.47M 7m32s.. 200K .......... .......... .......... .......... .......... 0% 512K 7m42s.. 250K .......... .......... .......... .......... .......... 0% 4.89M 6m33s.. 300K .......... .......... .......... .......... .......... 0% 698K 6m29s.. 350K .......... .......... .....

                    C:\Users\user\Desktop\download\optojumpnext.exe

                    Download File
                    Process:C:\Windows\SysWOW64\wget.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                    Category:dropped
                    Size (bytes):263455292
                    Entropy (8bit):7.999845300383183
                    Encrypted:true
                    SSDEEP:6291456:qsEIqHXzwjKfjiNhiWTAMG/3ULtZi7QqX3QxnG+GNgM:EIqjwGfeNhiwlG/UjsQnxG++H
                    MD5:16EDDCB330DB5178466D38E3D775FDC0
                    SHA1:3775312B6E8319A97A3BC6074B4F67EF006BD0C5
                    SHA-256:7381F767A8C214DF215C89C71CC2D71F4BA634E985CC57F44F62E9A60880E3A4
                    SHA-512:080893CCD3A1DE5FFA7FAA7FC2B57FFAEBC0AA1C074E2A332250A9C351A7534835E934F8128BEE6D360C747D257F006B8C20DD300F86AA044759C83BFDF94D35
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mWY.)67.)67.)67.)67.%67..)<.!67..*9.;67..)=.`67.K)$.$67.)66..67...<.#67..01.(67.Rich)67.................PE..L......8..................................... ....@..........................................................................(..........0............................................................................ ...............................text............................... ..`.rdata....... ... ... ..............@..@.data....<...@... ...@..............@....rsrc...0........ ...`..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Fonts\Code39AzaleaNarrow1.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26060
                    Entropy (8bit):4.890485304272515
                    Encrypted:false
                    SSDEEP:768:C/gXviOQkP+/fojPQ7EvFJ6o24FnFotA6doag6:Sg/7TP+/fojPQ4t9DnFotA6doaL
                    MD5:C7DCEE3FACDC18E6656D610F4D656E5A
                    SHA1:1FEDCBF59AE59B6A9B3C379573328BD2D63D0AD8
                    SHA-256:5CB42D4A77A013269B4E417200C79ABC38D73460EE896B631EAC88156696A320
                    SHA-512:F9AFB75066CA5754408C0358326A975AD9B5D95CED27FA0C4EA34828053F978CB2806C4789275D458789531D26BB48AAD4AAF62B9E19959BC4FCC48F86B214AA
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`O...d....VPCLTU.....e....6cmapH.....^.....cvt Zm^/..9.....fpgm.3.O..9.....glyf@{....:0..!.hdmx......`.....head....eP...6hhea...B..e....$hmtx)"....\.....loca......[.....maxp......e.... name1.o.......8.post.HS..]l....prep..m...:....-.....z.........:2..........&3...........3..........&3..........&3...........3..........&3..........`4...........4`..........4}..........4...........4}..........4}..........4...........4}.........04..........:2..........&3...........3..........&3..........&3...........3..........&3..........`4..........*."..........2..........j4..........*74.........*74........3............*74.R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaNarrow2.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26136
                    Entropy (8bit):4.902187430390624
                    Encrypted:false
                    SSDEEP:768:q/MVviOQkP+/fojPQ7EvFJ6bYyn8MEcUQcUEJq:6MF7TP+/fojPQ4tSl8MEcUQcUEI
                    MD5:1768987CD912D9D6FC99A5AF7F67B746
                    SHA1:1100F77495EE35A552721DD7486801BF6F7FFA65
                    SHA-256:6C3CDBD428904C53C1018F5746FB63094A04D6212159B495F969D7178E477633
                    SHA-512:CCBA3FA2C24CB4256CA098C1839BEE1A4348854077DD393880A18E57B082549563650062850D702CCBCD052B465BB78732B3294CD736CC4457480091064F4053
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`Oy..e....VPCLTV.....ed...6cmapH.....^X....cvt [._...:$....fpgm.3.O..:.....glyf.?.4..:|..!.hdmx...v..aD....head....e....6hhea.B....e....$hmtxA..'..\.....loca......[.....maxp......e.... name..#.......9.post.HS..].....prep.}....:@...<.....z.........:2..........&3...........3..........&3..........&3...........4 .........&3..........`4&..........4...........4...........4...........4...........4...........4...........4..........04..........:2..........&3...........3..........&3..........&3...........4 .........&3..........`4&.........*."..........2..........j5..........*7m.........*7m........3............*7m.R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaNarrow3.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26080
                    Entropy (8bit):4.950503922851083
                    Encrypted:false
                    SSDEEP:768:6/3XviOQkP+/fojPQ7EvFJxbc+bk8Y8YMcYwhFj:K3/7TP+/fojPQ4tLxk8Y8YMcYwP
                    MD5:C41305AE774777F50F2F0C81B6766D3E
                    SHA1:9C92411D5940A9C3683B5B96FE7F61EC4B301912
                    SHA-256:62AE48DBA0B57EB54E8F4D713411CCD7673C35D138ECB6A20579E13C06854F95
                    SHA-512:B680E06FD2BB7595FC23C0AB8C74D2C2F396787FA137B8E57D19C19CC9F87D1D730B396F2D7740184590B95D8EAB12209BEFFEE913A55DFBDF823A147E75ABB0
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`P...d....VPCLTV.....e,...6cmapH.....^ ....cvt \.`...9.....fpgm.3.O..9.....glyf......:@..!.hdmx......a.....head...*..ed...6hhea...h..e....$hmtxb..;..\.....loca......[.....maxp......e.... name1.o.......8.post.HS..].....prep.}....:....<.....z.........:2..........&3...........3..........&3..........&3...........3..........&3..........`4...........4`..........4}..........4...........4}..........4}..........4...........4}.........04..........:2..........&3...........3..........&3..........&3...........3..........&3..........`4..........*."..........2..........j4..........*74.........*74........3............*74.R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaRegular1.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26044
                    Entropy (8bit):4.88723641702036
                    Encrypted:false
                    SSDEEP:768:4/SlviOQkP+/fojPQ7EvFJpsNn2TbpvNh7pxLR:4S17TP+/fojPQ4tY4TbpvNh7pxl
                    MD5:8D4F47709C6BB2892C099079CBAC161A
                    SHA1:CDE499B255FC8996B5BF538BF18FC2BDE1A6100A
                    SHA-256:96AB450806BE4FF2EA8408512E194B3D987A7A8AAB73711550B16678AA5D34F8
                    SHA-512:6693891DD4A1224199E5478AE49A5498F3CC5382B94DDEB7BE7DEABE0B6E3169730EB97928F7F192BBE82520F361519357BB163FC5F0B162BF45782577E81A06
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`N...d....VPCLTY.....e....6cmapH.....].....cvt Z.]...9.....fpgm.3.O..9.....glyf......: ..!.hdmx......`.....head.q.c..e@...6hhea...*..ex...$hmtx$.....\.....loca......[.....maxp......e.... nameS.........8.post.HS..]\....prep..m...9....-.....z.........:2..........(3...........3..........(3..........(3...........3..........(3..........`3...........4T..........4q..........4}..........4q..........4q..........4...........4q.........04..........:2..........(3...........3..........(3..........(3...........3..........(3..........`3..........*."..........2..........j4..........*7".........*7"........3............*7".R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaRegular2.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26060
                    Entropy (8bit):4.912692909273425
                    Encrypted:false
                    SSDEEP:768:Z/KlviOQkP+/fojPQ7EvFJFvoq7gIsoswIMUFUR:BK17TP+/fojPQ4tLZgIsoswIMU2
                    MD5:CB7AE4744C7F7596A49E442EB2CD7D84
                    SHA1:5B83BE52A9839100081600142C6EE0AF7B87EB25
                    SHA-256:3E5A2114CEEBBBEE1178D710928B5D8892B66FE9BB956C04DD6D9CA592D6DCE7
                    SHA-512:2B1423E47A8BAA629D32F63539F56B5CC33109361C870D28076427C98E653B4845228A2EBD939DC8DF03EC3FEB2FB01C51C8521F6C2D0B05E66A2F07D521D66F
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`O...d....VPCLTZC....e....6cmapH.....^.....cvt [._...9.....fpgm.3.O..9.....glyf....:,..!.hdmx......`.....head......eP...6hhea.f....e....$hmtxIh.,..\.....loca......[.....maxp......e.... nameS.........8.post.HS..]l....prep=.:e..9....7.....z.........:2..........(3...........3..........(3..........(3...........3..........(3..........`3...........4T..........4q..........4}..........4q..........4q..........4...........4q.........04..........:2..........(3...........3..........(3..........(3...........3..........(3..........`3..........*."..........2..........j4..........*7".........*7"........3............*7".R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaRegular3.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26060
                    Entropy (8bit):4.97301951129866
                    Encrypted:false
                    SSDEEP:768:F/KlviOQkP+/fojPQ7EvFJN8f9o/PHfXDf3HuT:NK17TP+/fojPQ4tIm/PHfXDf3Hw
                    MD5:F4D36AAE2D3B14759ABDFA8CF0D243B1
                    SHA1:1AA1C404A38EFD55ACC7759ED75B16A44FCB1EB6
                    SHA-256:BE9A74EDC62CEB59519EE5D79FDBCB16AB1B80C9E8D4F1E4554A270FF1FF5F76
                    SHA-512:BB257A72BA228058AF3D0DD66DE1EE1D5E549237F59F0731D4C38BF2242A518DB53B6DEE6EDE92F750AD71965714A59A8B905797FEE6846D4544BBDC7E0E4903
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`P...d....VPCLT[.....e....6cmapH.....^.....cvt ^.`...9.....fpgm.3.O..9.....glyf......:,..!.hdmx".....`.....head.W.9..eP...6hhea...X..e....$hmtx...W..\.....loca......[.....maxp......e.... nameS.........8.post.HS..]l....prep=.:e..9....7.....z.........:2..........(3...........3..........(3..........(3...........3..........(3..........`3...........4T..........4q..........4}..........4q..........4q..........4...........4q.........04..........:2..........(3...........3..........(3..........(3...........3..........(3..........`3..........*."..........2..........j4..........*7".........*7"........3............*7".R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaWide1.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26060
                    Entropy (8bit):4.880954719424452
                    Encrypted:false
                    SSDEEP:768:g/QuviOQkP+/fojPQ7EvFJG6JzO5xFxFph1dha:gQQ7TP+/fojPQ4t3o5xFxFph1d8
                    MD5:FFAAB05816284B93DFBD5277957B9C17
                    SHA1:268D537FA72D72CD83192BDF94548B3CAEB742A4
                    SHA-256:81974F800566A89EDCE7780E62057638099592BF352307509054BE1B63CE4BDF
                    SHA-512:C3710C5D57555D686D0E9EC33EB56D15D783A2805D67ABD2AB90435819AC3CFE521DE46F26DCF30ACD20601457CE410F2F4BE18838C6C86BE9C56F2B410067E4
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`O...d....VPCLT^.....e....6cmapH.....^.....cvt Zt^...9.....fpgm.3.O..9.....glyfw.!...:0..!.hdmx.....`.....head....eP...6hhea...<..e....$hmtx(.....\.....loca......[.....maxp......e.... name.Al.......8.post.HS..]l....prep.C....9....2.....z.........:2.........."3...........3.........."3.........."3...........3.........."3..........`3...........4\..........4y..........4...........4y..........4y..........4...........4y.........04..........:2.........."3...........3.........."3.........."3...........3.........."3..........`3..........*."..........2..........j4..........*7..........*7.........3............*7..R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaWide2.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26144
                    Entropy (8bit):4.925845927125966
                    Encrypted:false
                    SSDEEP:768:+/u1yviOQkP+/fojPQ7EvFJOr4CT8MEcUQcUE1Qh:uuO7TP+/fojPQ4t6p8MEcUQcUEW
                    MD5:1F0518568366EB67595DC08CFF5F8EAE
                    SHA1:41F71A7E71203AC904E7AD700D4C04FF14044F59
                    SHA-256:2E9BAD704E175D3665AFEC9DEB3C1A012DAFE20755A56A92DE5B27B7BC3C1FA9
                    SHA-512:B3DD2D401665DAB4A00D3054F8B923F763B319FB8CD94E65438D59978F62350C1A19826668D784DCD97A255BB91248602E8DCCA1309A4138290DE9429159F685
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`O...e....VPCLT_g....el...6cmapH.....^`....cvt ].`V..:.... fpgm.3.O..:.....glyf.btD..:...!.hdmx...m..aL....head.7.;..e....6hhea......e....$hmtxQ..0..\.....loca......\.....maxp......f.... name.tc.......9.post.HS..].....prep.O....:8...F.....z.........:2.........."3...........3.........."3.........."3...........4.........."3..........`4...........4~..........4...........4...........4...........4...........4...........4..........04..........:2.........."3...........3.........."3.........."3...........4.........."3..........`4..........*."..........2..........j4..........*7a.........*7a........3............*7a.R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Fonts\Code39AzaleaWide3.ttf

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:TrueType Font data, 15 tables, 1st "OS/2", 31 names, Unicode
                    Category:dropped
                    Size (bytes):26088
                    Entropy (8bit):4.943720808616732
                    Encrypted:false
                    SSDEEP:768:8/ouviOQkP+/fojPQ7EvFJGnvPN4XXn3HD3HHEU6:coQ7TP+/fojPQ4t4veXXn3HD3HHE/
                    MD5:C8301CF306E5B650F4A7C4E079656A52
                    SHA1:7BB01764FA2AF66E963E808919B440F919E10B14
                    SHA-256:25F9BF72F118BBDEB93C190BA9B2BC0DD960A083A3205E3D0E032892887F611A
                    SHA-512:25C21E5FF2D9ED103F5B59A8486EABC19E4FD75C7394F02E3B7B0A0B6D4D2CD9E69938C82B9923A65EB1076C49B4C69C3F5D327BBDE9A07E08446BC42596E58F
                    Malicious:false
                    Reputation:low
                    Preview:.......0....OS/2Z`QA..d....VPCLT`.....e4...6cmapH.....^(....cvt ].b6..9.....fpgm.3.O..9.....glyf4.4...:<..!.hdmx-%$...a.....head....el...6hhea......e....$hmtx...`..\.....loca...&..[.....maxp......e.... name.Cl.......8.post.HS..].....prep.}....:....<.....z.........:2.........."3...........3.........."3.........."3...........3.........."3..........`3...........4\..........4y..........4...........4y..........4y..........4...........4y.........04..........:2.........."3...........3.........."3.........."3...........3.........."3..........`3..........*."..........2..........j4..........*7..........*7.........3............*7..R.E.A.D. .T.H.I.S. .L.I.C.E.N.S.I.N.G. .A.G.R.E.E.M.E.N.T. .C.A.R.E.F.U.L.L.Y. .B.E.F.O.R.E. .U.S.I.N.G. .A. .F.O.N.T. .F.R.O.M. .A.Z.A.L.E.A. .S.O.F.T.W.A.R.E.,. .I.N.C... . .B.Y. .I.N.S.T.A.L.L.I.N.G. .T.H.I.S. .F.O.N.T.,. .Y.O.U. .I.N.D.I.C.A.T.E. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E. .T.E.R.M.S. .A.N.D. .C.O.N.D.I.T.I.O.N.S. .O.F. .T.H.I.S. .L.I.C.E.N.S.E

                    C:\Windows\Installer\4154ca.msi

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Create Time/Date: Thu Jun 19 07:52:58 2014, Name of Creating Application: Windows Installer XML v2.0.3116.0 (candle/light), Title: Installation Database, Subject: SAP Crystal Reports runtime engine for .NET Framework (32-bit), Author: SAP, Keywords: Crystal Reports, .NET, Comments: This installer database contains the logic and data required to install SAP Crystal Reports runtime engine for .NET Framework (32-bit)., Template: ;1033, Last Saved By: alessandrom, Revision Number: {6D9975D3-DAE5-42E5-9C3E-70CE836D947D}, Last Saved Time/Date: Wed Mar 10 11:38:59 2021, Number of Pages: 200, Number of Words: 2, Security: 1
                    Category:dropped
                    Size (bytes):78157312
                    Entropy (8bit):7.977283484421576
                    Encrypted:false
                    SSDEEP:1572864:rFYgUSDSOmat2rB//ptrzKtwEzzKsOesWzxTagjmtTyh:rFvUSDS6t2rB//pN2tZPHOePtgT
                    MD5:B4179D86C2E9A9366B3B03730C83425D
                    SHA1:054F18D77B3D8E1C4355BAC5A2A60A5CA57AF17D
                    SHA-256:6E11C90F6F0AAA498FAC78676F2C0B62102F17160458339673A4787A2770B777
                    SHA-512:25C89124D6102900E0C1D7F17AD8EEA9872818DFE71BF03EF205705AED559F3F802985312815177696481D927D85EE727D02F7AF19BEBC64FDEE56438D842B7F
                    Malicious:false
                    Reputation:low
                    Preview:......................>............................................6..................}.......................................................................^.......u.................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6...............................E.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Windows\Installer\42b852.msi

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft SQL Server Compact, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Intel, Comments: This installer database contains the logic and data required to install Microsoft SQL Server Compact 3.5 SP2 ENU., Template: Intel;1033, Revision Number: {84395861-2117-43CE-9029-6D1A73F6929A}, Create Time/Date: Fri Feb 12 03:19:10 2010, Last Saved Time/Date: Fri Feb 12 03:19:10 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML v3.0.2921.0, Security: 2
                    Category:dropped
                    Size (bytes):3164160
                    Entropy (8bit):7.4672036886736395
                    Encrypted:false
                    SSDEEP:49152:zfii8t59kIUvtcaLotZgA0fRHCUsmZ/Aus1e7J/VoNxvrIQ2pjEQpF:zfii8t59QzotZp/oZCG9oNZIH
                    MD5:86AF6D36DFF214718DCD35D851249D3D
                    SHA1:286A78FAAE68FCBA8FBA4EDCD9FA201DE1F25D12
                    SHA-256:99B5F0C1CC7FE40120A36FB760CC7C646EDEF5916695D6ECD8D41E8BBA9B1C60
                    SHA-512:3642157F27BB4840A69DCB7CBD7298CF0865736E0A5C728FFC37330814BCB42D565C936432DE4D87D361E3F42CAC0B1872DB7712A211333B5307ACF1BBDF6ABB
                    Malicious:false
                    Reputation:low
                    Preview:......................>...................1...........................................................................................................................................................................................................................+...,.......................................................................................................................................................................................................................................................B...I................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Windows\Installer\42b855.msi

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft SQL Server Compact, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Intel, Comments: This installer database contains the logic and data required to install Microsoft SQL Server Compact 3.5 SP2 ENU., Template: Intel;1033, Revision Number: {84395861-2117-43CE-9029-6D1A73F6929A}, Create Time/Date: Fri Feb 12 03:19:10 2010, Last Saved Time/Date: Fri Feb 12 03:19:10 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML v3.0.2921.0, Security: 2
                    Category:dropped
                    Size (bytes):3164160
                    Entropy (8bit):7.4672036886736395
                    Encrypted:false
                    SSDEEP:49152:zfii8t59kIUvtcaLotZgA0fRHCUsmZ/Aus1e7J/VoNxvrIQ2pjEQpF:zfii8t59QzotZp/oZCG9oNZIH
                    MD5:86AF6D36DFF214718DCD35D851249D3D
                    SHA1:286A78FAAE68FCBA8FBA4EDCD9FA201DE1F25D12
                    SHA-256:99B5F0C1CC7FE40120A36FB760CC7C646EDEF5916695D6ECD8D41E8BBA9B1C60
                    SHA-512:3642157F27BB4840A69DCB7CBD7298CF0865736E0A5C728FFC37330814BCB42D565C936432DE4D87D361E3F42CAC0B1872DB7712A211333B5307ACF1BBDF6ABB
                    Malicious:false
                    Reputation:low
                    Preview:......................>...................1...........................................................................................................................................................................................................................+...,.......................................................................................................................................................................................................................................................B...I................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Windows\Installer\MSI6267.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):774144
                    Entropy (8bit):6.630578909576128
                    Encrypted:false
                    SSDEEP:12288:MHxfkFW+lYouw09mJDnd8zf3K0igb61HK5kk4zap:SxfkFW+7uw09mJu7a0igb6lTza
                    MD5:544CC93D7A72A5638D8C78275876EA03
                    SHA1:8D2F39007AC4638C4F4470F7EC1D5B1FBC5CB051
                    SHA-256:15A390645B65B1AE22B90F75BDFC0BA9218AC31E0A2E468780AE745301A0E20C
                    SHA-512:64B1054847DE97137C6EF7ACEB578A1820A3F7FEE53B43A3826336E0A8052B8CA08F2A710CC39685A2646FD0567A7CA1111B89E33AC940C597465B290C55D272
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..G.r...r...r...z...r...z...r...}...r.. ....r.. ....r...}...r.. ....r...r..bp.. ....r.. ....r.. ....r.. ....r..Rich.r..........PE..L......S...........!...............................................................A...............................P...x...4....................................y..p...............................P...@.......................@....................text.............................. ..`.rdata........... ..................@..@.data...,........`..................@....rsrc................@..............@..@.reloc...z...........P..............@..B........................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\MSI62D5.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):3.741623752383387
                    Encrypted:false
                    SSDEEP:192:XOdG/6G4nnykxsdYZ+mrv2ySzLUHypLGgjuXFw5acHKBNtHjhuHWrkA9uBP1WWzT:P6GuZBrvkzAHyxxHKBdaA2dWWzm0ZH
                    MD5:85221B3BCBA8DBE4B4A46581AA49F760
                    SHA1:746645C92594BFC739F77812D67CFD85F4B92474
                    SHA-256:F6E34A4550E499346F5AB1D245508F16BF765FF24C4988984B89E049CA55737F
                    SHA-512:060E35C4DE14A03A2CDA313F968E372291866CC4ACD59977D7A48AC3745494ABC54DF83FFF63CF30BE4E10FF69A3B3C8B6C38F43EBD2A8D23D6C86FBEE7BA87D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........CnuS".&S".&S".&t.}&P".&S".&.".&t.{&X".&t.m&^".&t.z&R".&t.n&R".&t.x&R".&RichS".&........................PE..L...\..C...........!.....@... .......6.......P....@..........................p......I................................B.......=..x............................`......0...............................x...@............................................text....2.......@.................. ..`.data...h....P.......P..............@....reloc..<....`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\MSI6C5C.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1558862
                    Entropy (8bit):5.7721049073848025
                    Encrypted:false
                    SSDEEP:12288:HxYAPmYjoBErGHtGeN6KzST3oXLsxqwa65Pev:HxYAPmdESGeN6Lq03M
                    MD5:6585F56623C67C4FBBBBF7DA47D682B3
                    SHA1:2A132CFB55253D8A7CA8FC60DC06C4ED61C8A4B3
                    SHA-256:D157364AFCCEC840EBF60424939DD611D4EF9A6B9F7B5EE2A881C4705D126FE9
                    SHA-512:BEDB279250DFC8AADA89D7F1337FD0DF4B5E89FF437806DBDC5A48ACABC81F646DA0F976761ABCEB96907A38C8005112AD524B940C525EC2F1D36F831364888C
                    Malicious:false
                    Reputation:low
                    Preview:...@IXOS.@.....@.=>Y.@.....@.....@.....@.....@.....@......&.{4A10D640-13F1-4A13-BAD1-3E3790511B17}>.SAP Crystal Reports runtime engine for .NET Framework (32-bit)..CRRuntime_32bit_13_0_10.msi.@.....@.....@.....@......CR.ico..&.{6D9975D3-DAE5-42E5-9C3E-70CE836D947D}.....@.....@.....@.....@.......@.....@.....@.......@....>.SAP Crystal Reports runtime engine for .NET Framework (32-bit)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{1384A931-0C1C-471A-A67E-C5F8261D11D2}c.C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\readme.txt.@.......@.....@.....@......&.{BB198B1B-A18C-47B0-8840-D91894E8CD1F}..C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\crpe32.dll.@.......@.....@.....@......&.{18C05BD9-015F-4507-83DC-75976E7ECED9}..C:\

                    C:\Windows\Installer\MSIB9D9.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):3.741623752383387
                    Encrypted:false
                    SSDEEP:192:XOdG/6G4nnykxsdYZ+mrv2ySzLUHypLGgjuXFw5acHKBNtHjhuHWrkA9uBP1WWzT:P6GuZBrvkzAHyxxHKBdaA2dWWzm0ZH
                    MD5:85221B3BCBA8DBE4B4A46581AA49F760
                    SHA1:746645C92594BFC739F77812D67CFD85F4B92474
                    SHA-256:F6E34A4550E499346F5AB1D245508F16BF765FF24C4988984B89E049CA55737F
                    SHA-512:060E35C4DE14A03A2CDA313F968E372291866CC4ACD59977D7A48AC3745494ABC54DF83FFF63CF30BE4E10FF69A3B3C8B6C38F43EBD2A8D23D6C86FBEE7BA87D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........CnuS".&S".&S".&t.}&P".&S".&.".&t.{&X".&t.m&^".&t.z&R".&t.n&R".&t.x&R".&RichS".&........................PE..L...\..C...........!.....@... .......6.......P....@..........................p......I................................B.......=..x............................`......0...............................x...@............................................text....2.......@.................. ..`.data...h....P.......P..............@....reloc..<....`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\MSIBAC4.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):557171
                    Entropy (8bit):6.067076598495985
                    Encrypted:false
                    SSDEEP:6144:A7vgqkZ7YvjX2Ji7vgqkZ7YvQGScfvkY3pEFmklfAw7vgqkZ7YvkU:uvgqkZ7YbvgqkZ7YmvgqkZ7Y1
                    MD5:BD3FF290A01F95F6A126D62D82C6F7E1
                    SHA1:AF80654ECD388A1DE58D5E9C9AE69C3BB8D97BC2
                    SHA-256:1DF0A181EB573D3BCE59017F0D1097CE44B63D082A7C9D066389527562124AA5
                    SHA-512:8A4296966D5939FA37FDD3B2DFC576E9A126451FF42E0308C8F32BF03C7F349920A6E9D1C2FCBE1842FC2C67BE6ACB58E1A1EBD2A84195D2D79B8CD4EF708F12
                    Malicious:false
                    Reputation:low
                    Preview:...@IXOS.@.....@.=>Y.@.....@.....@.....@.....@.....@......&.{3A9FC03D-C685-4831-94CF-4EDFD3749497}(.Microsoft SQL Server Compact 3.5 SP2 ENU..SSCERuntime_x86-ENU.msi.@.....@.....@.....@......ProductIcon..&.{84395861-2117-43CE-9029-6D1A73F6929A}.....@.....@.....@.....@.......@.....@.....@.......@....(.Microsoft SQL Server Compact 3.5 SP2 ENU......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@Q....@.....@.]....&.{309E848F-658B-4419-AC6D-FF3BAA5E71A7}M.C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\EULA_ENU.rtf.@.......@.....@.....@......&.{4293DF50-7F0E-47F9-1033-4662ABD730B5}Z.02:\Software\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeVersion.@.......@.....@.....@......&.{D5ED5BEE-1033-4134-A902-6ED3C0537565}a.C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\ReadMeSyncServices_ENU.htm.@.......@.....@.....@......

                    C:\Windows\Installer\MSIBAE4.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):116736
                    Entropy (8bit):6.437216161610729
                    Encrypted:false
                    SSDEEP:1536:GCUrm0W6vgq+/LrHl1jw8H9PCAl1U24VGHVmh5Dg1MAP5J/f:/Amb6vgq8LrFfCAlu24VG825JX
                    MD5:00C3F5CA474A20C4A8DFB263A3950DAD
                    SHA1:78B00A2E0490E1664AF4D86FDBD3AC78330D21D4
                    SHA-256:9D849A8F5B39941EA32D47F0529977B1870F648736A483D86682436E3D3DB748
                    SHA-512:20A8A8655B61B464F29329A70DAA95A36C8C54B549BBEC26ED93C63097D6D7A4C0A3CA1CB9A85A0521D298885C00F22FBFA28ABF9AA33737056B48CC0EBEAD9D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.L.{.".{.".{.".\"_.k.".\"O...".\"Y.j.".{.#...".\"L.F.".\"X.z.".\"^.z.".\"Z.z.".Rich{.".................PE..L....].F...........!.........Z.......~....................................... ......w0.................................F..............................................................................@...............h............................text............................... ..`.data....;..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\MSIBE12.tmp

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):116736
                    Entropy (8bit):6.437216161610729
                    Encrypted:false
                    SSDEEP:1536:GCUrm0W6vgq+/LrHl1jw8H9PCAl1U24VGHVmh5Dg1MAP5J/f:/Amb6vgq8LrFfCAlu24VG825JX
                    MD5:00C3F5CA474A20C4A8DFB263A3950DAD
                    SHA1:78B00A2E0490E1664AF4D86FDBD3AC78330D21D4
                    SHA-256:9D849A8F5B39941EA32D47F0529977B1870F648736A483D86682436E3D3DB748
                    SHA-512:20A8A8655B61B464F29329A70DAA95A36C8C54B549BBEC26ED93C63097D6D7A4C0A3CA1CB9A85A0521D298885C00F22FBFA28ABF9AA33737056B48CC0EBEAD9D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.L.{.".{.".{.".\"_.k.".\"O...".\"Y.j.".{.#...".\"L.F.".\"X.z.".\"^.z.".\"Z.z.".Rich{.".................PE..L....].F...........!.........Z.......~....................................... ......w0.................................F..............................................................................@...............h............................text............................... ..`.data....;..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\SourceHash{3A9FC03D-C685-4831-94CF-4EDFD3749497}

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):1.168850476277382
                    Encrypted:false
                    SSDEEP:12:JSbX72FjFAGiLIlHVRpU5h/7777777777777777777777777vDHFV48Tgr/Jl0i5:JLQI5GnbPTtF
                    MD5:19044B82DFCEA7BE630338090AE498CA
                    SHA1:8937F38A41DA5C9F7C4846B354AD4B7238BF3903
                    SHA-256:B0CFF624269462DBAEA6E31D0EB285CFE4ECBEA70F5F232DBDFE0271736BFC57
                    SHA-512:60D22B2A72700C38C9559894BC38F73C855FF6B87FD1A9E677875E4E4EB40E9E05DD455EE9EF4C0C7B4A31F36E2978F3E198BC07DC07862E4A927B2F72761B7B
                    Malicious:false
                    Reputation:low
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Installer\{3A9FC03D-C685-4831-94CF-4EDFD3749497}\ProductIcon

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:MS Windows icon resource - 4 icons, 16x16, 8 bits/pixel, 16x16, 32 bits/pixel
                    Category:dropped
                    Size (bytes):9062
                    Entropy (8bit):3.681560845145832
                    Encrypted:false
                    SSDEEP:48:4hXdTtjslSN5kC+GK/u9G16oKpNSxW5Uw7/8IbG3EgIbLiG2InOZKZ+Hue4qOWzN:4Xtp+GK/0pSxWL7t+EpbLiG2Inu5WTK
                    MD5:6206253A315B55D21CBB3F393D76A772
                    SHA1:B30E372E337A8BA1FB6F26EDB42D6BDEAC520742
                    SHA-256:3DBF333B281B80812EA763918E38B253F326B77A357E508722E4B5591EA5A7CA
                    SHA-512:B1DDCA0BFF02829091ED2EB92A61D3546C4197DE01AEBB80C46A7BDF622B319265BD762DEFBCFF2CE5CA41A0225BF7EF2F8FE8448DBA87B6868D95920FA465F4
                    Malicious:false
                    Reputation:low
                    Preview:..............h...F......... .h....... .............. .... .........(....... ...................................cI5.??@.._..U....~R..yB...L..N..X.._..Z..e..k..q..{....U...U...U...................U...U...U...U...U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):432315
                    Entropy (8bit):5.375211019125
                    Encrypted:false
                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauz:zTtbmkExhMJCIpEra
                    MD5:F67E387036167D5D3AE95BC6F885C1AF
                    SHA1:774E199D0CD149474D611A185BC8A243984D2CD2
                    SHA-256:D5B4ED8530EB8E38A87AA43DD2A51B03ADD678CBD7DB0DB6C75BF19933BAB6E2
                    SHA-512:2B067CB620DB214F1BDBF36C565F64B1D84048DA51168C0A5A5635B505C5BD51D12B066CB235912EA7FA7D530716B0B7ED1B9151EB35D3C61AFADB952D677E88
                    Malicious:false
                    Reputation:low
                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

                    Download File
                    Process:C:\Windows\SysWOW64\msiexec.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (541), with CRLF line terminators
                    Category:dropped
                    Size (bytes):25130
                    Entropy (8bit):5.231770395819816
                    Encrypted:false
                    SSDEEP:384:ftathRwRnRLrRvRyWbRqqRkOZ5Ca9R7x+PE3vfyhTMuKZ:qhODJahTMue
                    MD5:7E3352B4A1384DB30C7D715227E1B11E
                    SHA1:86943DE399F959EE54052049B409B2545266FF2B
                    SHA-256:553F46E1D7AA1A71F4870850BFBD50B1FBF24285DD3A905FB47740CB04EE0BA2
                    SHA-512:7C09C230827D744690ACAF053F3CE799197CBB31C5641803B1D16138E9103F39B6B50DCF0B886FC6F6492BA4AE37FDECF22C11DE2E01A9A6D6D45FA4326F1231
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>.. .. Please refer to machine.config.comments for a description and.. the default values of each configuration section..... For a full documentation of the schema please refer to.. http://go.microsoft.com/fwlink/?LinkId=42127.... To improve performance, machine.config should contain only those.. settings that differ from their defaults...-->..<configuration>...<configSections>....<section name="appSettings" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false"/>....<section name="connectionStrings" type="System.Configuration.ConnectionStringsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requirePermission="false"/>....<section name="mscorlib" type="System.Configuration.IgnoreSection, System.Configuration, Version=2.0.0.0, Culture=neutral,

                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config

                    Download File
                    Process:C:\Windows\SysWOW64\msiexec.exe
                    File Type:XML 1.0 document, ASCII text, with very long lines (541), with CRLF line terminators
                    Category:modified
                    Size (bytes):33680
                    Entropy (8bit):5.229190798104574
                    Encrypted:false
                    SSDEEP:384:fttWtttRtURtbRtfrRtDRtWDUHJ6YZvIcRtG0tRtyDnARqhBaFCq8CLim5eF4Rdk:y4lQOw37Vz
                    MD5:5C396442171A319B8A74A2C31A9B5841
                    SHA1:B3990F01E91F7A564C96599255B3C665F9E98208
                    SHA-256:D2A3CE0525CFFEFBE292ABBC50B6CB2921CD89BFA299CC2169F1F961A7373058
                    SHA-512:27A6C904A7F48A28CA8905EAE73A0BBF3F6F9A2EE0858C29ABCF58F28FAC5D6BDB10FC76D32723D31F97C844F0F257314F8EF0B3EA89AB583EC6CA09D36512AC
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8"?>.. .. Please refer to machine.config.comments for a description and.. the default values of each configuration section..... For a full documentation of the schema please refer to.. http://go.microsoft.com/fwlink/?LinkId=42127.... To improve performance, machine.config should contain only those.. settings that differ from their defaults...-->..<configuration>...<configSections>....<section name="appSettings" type="System.Configuration.AppSettingsSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false"/>....<section name="connectionStrings" type="System.Configuration.ConnectionStringsSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requirePermission="false"/>....<section name="mscorlib" type="System.Configuration.IgnoreSection, System.Configuration, Version=4.0.0.0, Culture=neutral,

                    C:\Windows\SysWOW64\msvcp71.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):499712
                    Entropy (8bit):6.414789978441117
                    Encrypted:false
                    SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                    MD5:561FA2ABB31DFA8FAB762145F81667C2
                    SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                    SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                    SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\msvcr71.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):348160
                    Entropy (8bit):6.542655141037356
                    Encrypted:false
                    SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                    MD5:86F1895AE8C5E8B17D99ECE768A70732
                    SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                    SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                    SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DF5C77A941B2B41DC7.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):1.1952839567699975
                    Encrypted:false
                    SSDEEP:96:O9DrT978eQNg58MrnTgoU/N/29MwPMrnZ099X:ADrR7Vog58MLewPMLZ0
                    MD5:9CC230AEA40970F0E44F1C512E6CB034
                    SHA1:1C0B3D37B61421983579F7D3FCF57746FA4158FE
                    SHA-256:96925F95C7E07B74BBC8B53C031E5CF974826294CE1A7E876E6EDE6F384CA67F
                    SHA-512:6739CA23AC9A5DFF9E78B09A3D8815CE5E6804BF7A35B9143BFE0ADDDAA3B78B43673E4E4AB48EDAA00A7E974883AB6EF7E057534B583B9ADEBACB0D241801FC
                    Malicious:false
                    Reputation:low
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DF6FDE18B5F8091D0C.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.07533397926702162
                    Encrypted:false
                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOVAHoV7ALqgrzt6Vky6lD1:2F0i8n0itFzDHFV48Tgr/J
                    MD5:8AC0FC4FC93D680CC5209C8A367EA2AF
                    SHA1:DD3B7942824D65E3A464EC0DC797E9439D00D8E8
                    SHA-256:586344DC76DD0F01E1FF46B9A194161BB26E557694787A0854866F7E9CFBE19A
                    SHA-512:FA6D3C709F4A95DE202B6710049D08306DDB34F2C48AFE66B09CDA51C551227E4E5DE3403ADBAB7C613F37A76932859E87AB4FBE1F95F47A51400A48F983B7AC
                    Malicious:false
                    Reputation:low
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DF77FC22112212E24F.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):81920
                    Entropy (8bit):0.2716886552636329
                    Encrypted:false
                    SSDEEP:48:N9XUvMQfWStXdoJRdVWrkzdVWHDSoXdoJ56AdoJRdVWrkzdVWTk5kFjkFk0z5/kG:N9XU0XPMrnjg58MrnTgoU/N/29My2
                    MD5:827313AEC7E7649C5995ED4057E259E0
                    SHA1:D5FD25770E3E9B00B3DE4AA49710C452B9605A72
                    SHA-256:AD91CD375998EEA0936E100BDCF56D1066A5DAF70C3665C6E457BB9BC30AB5B7
                    SHA-512:EC5CDADB7270017A3072A258FAD969FBD43DD10241E19098DD637070EAE0F6C41D36579E704F1F590C00FFB19C0A2B4016FB7FE4375F99A5B296C44E351D31DF
                    Malicious:false
                    Reputation:low
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DF78AFE2FE60573591.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):512
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                    Malicious:false
                    Reputation:low
                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DF7A3CFF838DFAC021.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):512
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                    Malicious:false
                    Reputation:low
                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DFAD8797E769AD23F2.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):1.1952839567699975
                    Encrypted:false
                    SSDEEP:96:O9DrT978eQNg58MrnTgoU/N/29MwPMrnZ099X:ADrR7Vog58MLewPMLZ0
                    MD5:9CC230AEA40970F0E44F1C512E6CB034
                    SHA1:1C0B3D37B61421983579F7D3FCF57746FA4158FE
                    SHA-256:96925F95C7E07B74BBC8B53C031E5CF974826294CE1A7E876E6EDE6F384CA67F
                    SHA-512:6739CA23AC9A5DFF9E78B09A3D8815CE5E6804BF7A35B9143BFE0ADDDAA3B78B43673E4E4AB48EDAA00A7E974883AB6EF7E057534B583B9ADEBACB0D241801FC
                    Malicious:false
                    Reputation:low
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DFDF0E722F4357719E.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):81920
                    Entropy (8bit):2.682645156539886
                    Encrypted:false
                    SSDEEP:384:pxY9o6Ce3kOEyiuzzK3uI29QgPsO0GoRwNxDy6BmK17klMexrcoiguABTFbKm2fJ:P/T+gsXn+gkX
                    MD5:74EC7FB4122426EEA0125C3F710F3A14
                    SHA1:FB2E1A9D58470498BDC7B5A17226497A5F4C7D9A
                    SHA-256:CF50732AEA7531C5E57DE23F7DF32CABADE500585501FB338FDDB4630AE14F22
                    SHA-512:9FE7E86D4FFBC8032C5A3306E4C0F36224083E64B39D08E799DDDE7A1A1EE9616EFEFE0FDC747791DB382404348FA619BC871B57E46C877256BA70B5D29DBFCC
                    Malicious:false
                    Reputation:low
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Temp\~DFE92246FDF0609694.TMP

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):512
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                    Malicious:false
                    Reputation:low
                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451318.0\ATL80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):97280
                    Entropy (8bit):6.521477408504959
                    Encrypted:false
                    SSDEEP:1536:SskNTnYQzkuvliN+9sdYhfv3rkT+za16/rWmE9dV87mKxGXmwkbos3co9:S1TnY4kclz9sdO/o9dVMmXmwkl
                    MD5:3E9A33113D663D8BD5ED38858E669652
                    SHA1:1292DC7FFC35A1EF2B761672361BCFFA7483169E
                    SHA-256:63E1985A37D5993D170373BC28D067C13C1541CA2B63968B82E35EAACD927B49
                    SHA-512:A2DCD0D5DB662653D3085D2AB39E8697B25E096FD2093E3F5CA2EDB3087356814ADB9F99E490DC95293198E05551A3DDBB3FA2918B8ED5F76D84A22268BFBE7A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..xft.+ft.+ft.+.{.+dt.+A..+mt.+.{.+et.+ft.+.t.+A..+}t.+A..+mt.+A..+gt.+A..+gt.+A..+gt.+Richft.+................PE..L...%MYJ...........!..............................c|.................................@....@..........................G......<A..(....`..H#..........................`...............................84..@...............(....5.......................text...~........................... ..`.rdata...N.......P..................@..@.data........P.......<..............@....rsrc...H#...`...$...@..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451318.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7473
                    Entropy (8bit):7.342580881475494
                    Encrypted:false
                    SSDEEP:192:kM0YfIJ2hEi1HnNpBjSebyaAqjkKiTbmrKjTx7:kf9eHNpBjTeajC4Wl7
                    MD5:620C8F7513EE75D9E198B0EDEB91D289
                    SHA1:D25EEE539B6AFC0520F6D61D7D8CE621EDBB1389
                    SHA-256:813C74C7711815CF656F96F0CE5D9E57A31C3C4F98B607C8425CDBE8D5CCB436
                    SHA-512:59AC746C9B46AE1109B8A229DF89AA07A2CE1A03088623A8D321C3F4361E33D31E3E78CDF6C804DF395B000610A4DD9509F8193860B7A1F02B4808FE409290B0
                    Malicious:false
                    Reputation:low
                    Preview:0..-..*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7.......(.+sB....q...090712024102Z0...+.....7.....0...0....R2.B.1.A.5.F.D.2.D.6.5.4.C.7.B.7.B.5.B.9.5.9.F.E.4.3.6.0.E.E.6.5.4.F.4.F.E.6.3.4...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........+._..T...Y.C`.eOO.40b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...A.T.L...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........+._..T...Y.C`.eOO.40b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

                    C:\Windows\WinSxS\InstallTemp\20240930074451318.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):466
                    Entropy (8bit):5.340909189024263
                    Encrypted:false
                    SSDEEP:12:TMHdt7IBeBFJ3/3XO53SNK+yGuRgVuNnyEGNLzIqG:2dtMEDJ/eiNK+yrRg4NnYNLzc
                    MD5:268D9AB03D40B6B580B4702289F27A7F
                    SHA1:2B1A5FD2D654C7B7B5B959FE4360EE654F4FE634
                    SHA-256:43E8B1D9F404EB67105AB15282FD01F5BF4CD30F7F0C5D1250D11E9384AE9CC5
                    SHA-512:7C4213DDE6B65A97A70D65DDCB8D54D0D2523FE5A1A9E6DEC087126335B901630D83A180F4D79B1582F0917F1A23C5749BF6B232F3F8246B50CEA40BD08A85E4
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.ATL" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="ATL80.dll" hash="6d7ce37b5753aa3f8b6c2c8170011b000bbed2e9" hashalg="SHA1"/>..</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451349.0\8.0.50727.4053.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7495
                    Entropy (8bit):7.336439111669757
                    Encrypted:false
                    SSDEEP:192:6lZ9slZfIJ2hEi1HnNpBjSebyaAqjkKiTbGSTMJR:ifuyeHNpBjTeajCr6
                    MD5:85F9FE638A335EB50D9864CF1EEA9462
                    SHA1:AA402B962A1EA72ABFE0DAD41ABEAA2C65653736
                    SHA-256:2C0305F00EA5BBC4B158FBB6CA0978157701DB1C7D04505A701B2DA4E5EE0D4A
                    SHA-512:7E2A0BC26E4A99CB568E2F14582D29B4963860B720695B872883AF8842BC77334D87B53B7703516837E69C2DC3B0BA8C5D1857A876F440064B2229017933F6ED
                    Malicious:false
                    Reputation:low
                    Preview:0..C..*.H.........40..0...1.0...+......0..s..+.....7.....d0..`0...+.....7.........:.B..a.\./M..090712024102Z0...+.....7.....0...0...,8...0...5.0.7.2.7...4.0.5.3...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........D..%.Q.q...$Pb..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.3.1.2.F.4.4.4.C.1.E.5.A.5.2.5.D.6.5.1.C.2.7.1.C.1.B.A.7.F.2.4.5.0.6.2.0.1.D.4...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........D..%.Q.q...$Pb..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

                    C:\Windows\WinSxS\InstallTemp\20240930074451349.0\8.0.50727.4053.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):804
                    Entropy (8bit):5.203501485208706
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+nyrRg4NnjiNK+2g4NnM23+Lg23kIgQR:ciEDJw0y9g4EK+2g46sQR
                    MD5:202B4B8058BD2D862E652830B52AE9CF
                    SHA1:F312F444C1E5A525D651C271C1BA7F24506201D4
                    SHA-256:A97D6BE9DC81155A62BA68419A54B9B6CEF8999E62F17FC74435A7749430F855
                    SHA-512:08660C192332B21543A5C16256E4F895E173AD3D89D0CED84A8E88DBF95AAD877E70B595ACED4C789D4966A904EA1F53A9E708FAD71722F2ECD7A1A16E6AC59F
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.ATL" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.ATL" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.4053"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.4053" newVersion="8.0.50727.4053"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcm80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):479232
                    Entropy (8bit):6.028022725727195
                    Encrypted:false
                    SSDEEP:6144:C6KTZsHDwx0TCAQpFTfnPyrerCqq/KruohQFHCxrgtaoOjMQlyD:4sHDG0TMAxKFhQRCxrcQ
                    MD5:75F2A9B695EF3EF22D731F059920F636
                    SHA1:E665F073F8EBA6482D8FA26D5A213C607D8470EC
                    SHA-256:E645846FFD536957F51FBE223E1DEE0F834A5FC7043D956A71E6933C1CE5AD9E
                    SHA-512:8EED3EAF4E4E3217BAFA1B5A009A739AA5663C6CE86F81AEF88995F4BD2B2296F2C09B935E7294FF24FDED72A0C2E5EA95F3ACFA96023EDED328B88B050C182D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-9/.iXA.iXA.iXA..W..mXA.iX@..XA.N.:.lXA...?.hXA.N.<.hXA.N.,.fXA.N./..XA.N.;.hXA.N.=.hXA.N.9.hXA.RichiXA.........PE..L....LYJ...........!.........@......DT............L|......................................@.............................c ..d...d......................................................................@...............................H............text....x.......................... ..`.rdata..cX.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..N$.......0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcp80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):554832
                    Entropy (8bit):6.428533960834858
                    Encrypted:false
                    SSDEEP:12288:UZY4lOHMwLwXBt+ia3htSUa/hUgiW6QR7t5j3Ooc8NHkC2eSQ:UZY4lOHMM8wiShtSj3Ooc8NHkC2eT
                    MD5:8C53CCD787C381CD535D8DCCA12584D8
                    SHA1:BC7CE60270A58450596AA3E3E5D0A99F731333D9
                    SHA-256:384AAEE2A103F7ED5C3BA59D4FB2BA22313AAA1FBC5D232C29DBC14D38E0B528
                    SHA-512:E86C1426F1AD62D8F9BB1196DEE647477F71B9AACAFABB181F35E639C105779F95F1576B72C0A9216E876430383B8D44F27748B13C25E0548C254A0F641E4755
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....LYJ...........!.....@... ...............P....B|.........................p.......0....@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451365.0\msvcr80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):632656
                    Entropy (8bit):6.854474744694894
                    Encrypted:false
                    SSDEEP:12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
                    MD5:1169436EE42F860C7DB37A4692B38F0E
                    SHA1:4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
                    SHA-256:9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
                    SHA-512:E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451365.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7473
                    Entropy (8bit):7.340644494617783
                    Encrypted:false
                    SSDEEP:192:k30CfIJ2hEi1HnNpBjSebyaAqjkKiTbmCkNjTePN:kEXeHNpBjTeajCYiV
                    MD5:530518933237CDC5669CA2D190B59821
                    SHA1:CD3562E9944EB8B1B96B776D7A3A36A750DB3673
                    SHA-256:DB75056FB2F0BD417A827E9FF9F96E4A661D67D826329356E7BF55A902A7408A
                    SHA-512:D8C8B710547F9DAEE867644635E9895EC99D39D1F92E3D25E7DD6391AB643BBCDC35F5553CC1DF183D804FF18020CBD8965144C4D324FE5CAB93CB4BE6C9B6E8
                    Malicious:false
                    Reputation:low
                    Preview:0..-..*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7.....r.fc.r.L..{j.'M...090712085032Z0...+.....7.....0...0....R4.1.B.9.7.8.5.8.8.A.9.9.0.2.F.5.E.1.4.B.2.B.6.9.3.9.7.3.C.B.2.1.0.E.D.9.0.0.B.2...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........A.xX.....K+i9s.!....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...C.R.T...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........A.xX.....K+i9s.!....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

                    C:\Windows\WinSxS\InstallTemp\20240930074451365.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1870
                    Entropy (8bit):5.392327712070946
                    Encrypted:false
                    SSDEEP:48:3SlK+hig4FB09kkK0hpzWU09kkKqYhzVC09kkK0FFzY:ClthaTXkHnCUXk8hgXkFj8
                    MD5:D34B3DA03C59F38A510EAA8CCC151EC7
                    SHA1:41B978588A9902F5E14B2B693973CB210ED900B2
                    SHA-256:A50941352CB9D8F7BA6FBF7DB5C8AF95FB5AB76FC5D60CFD0984E558678908CC
                    SHA-512:231A97761D652A0FC133B930ABBA07D456BA6CD70703A632FD7292F6EE00E50EF28562159E54ACC3FC6CC118F766EA3F2F8392579AE31CC9C0C1C0DD761D36F7
                    Malicious:false
                    Reputation:low
                    Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xm

                    C:\Windows\WinSxS\InstallTemp\20240930074451474.0\8.0.50727.4053.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7495
                    Entropy (8bit):7.340315722980394
                    Encrypted:false
                    SSDEEP:192:NGqfIJ2hEi1HnNpBjSebyaAqjkKiTbGneDW2TTj:+eHNpBjTeajCrv3j
                    MD5:32F6E443F9C091C8BE18CBB050F6A26A
                    SHA1:F0CB3EB76A19E66D73C3D7F14E292C11494E01D2
                    SHA-256:51C55792A77DDFFA2C36FC5CC92CF7E67263B0004BB0B4970F3A00524F5BDBEC
                    SHA-512:84BEAE4B7CB28FAFC46F10B40637B772DD2FFE1A90268BC053DC7EBF4CF33C77A34CE56D4EEDAE4F36E5A5E597D8F3054AF90B82A82567DFE2AF9B9F4E35461C
                    Malicious:false
                    Reputation:low
                    Preview:0..C..*.H.........40..0...1.0...+......0..s..+.....7.....d0..`0...+.....7......X..>.UN.......:..090712024013Z0...+.....7.....0...0...,8...0...5.0.7.2.7...4.0.5.3...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........F.q..[....A...|%j0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.7.D.7.B.2.4.6.C.8.7.1.0.5.C.6.5.B.B.7.F.D.B.4.9.C.4.1.0.C.B.B.8.9.7.C.2.5.6.A...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........F.q..[....A...|%j0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

                    C:\Windows\WinSxS\InstallTemp\20240930074451474.0\8.0.50727.4053.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):804
                    Entropy (8bit):5.198526360830597
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+nhQRg4NnjiNK+hcg4NnM23+Lg23kIgQR:ciEDJw0hig4EK+hcg46sQR
                    MD5:949BA7F96C442B9C084EA4C4CE117F5B
                    SHA1:97D7B246C87105C65BB7FDB49C410CBB897C256A
                    SHA-256:9415639494EC009216C9EBF0AEC7D5C788FC7FAE45D8B4278D259F3484D685EB
                    SHA-512:8FA20FA498DBB2C67510028AA8EC4575848F1FF61D22AC96E3652FA6C3CAB35B3E5FBE864D67F187C60431E799BBFA8984B1B73736A0672B355C7CAAF96B6862
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.4053"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.4053" newVersion="8.0.50727.4053"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1105920
                    Entropy (8bit):6.511556136142931
                    Encrypted:false
                    SSDEEP:12288:Zl+yFNvQhqcXGp/0TddvNdwiYivOHhxKTWA1Z8EBT54yipHrg22D0kKYorgWagEs:ds2/0hdvNd6izr1Z8EBT5zeHbkErgW
                    MD5:4928AB3A304DDF05C354DE3807A4A66B
                    SHA1:24C80500A18CB7E60E0FFB37EB623F2AEF9512AB
                    SHA-256:B4CB81E09AD0D537C776363B5ED6A4E8F57421A745B8C7974FB56E7B7EBE4BAF
                    SHA-512:B474F70750DAB050E4C8C8752327BDF4526602C68E54A0A495E4C69FFB21154560B8A5B4D4AC61982151A5F87037114BD78C7CF8416C3F2DA81B2977EBD3F16A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'3..'..'n..'..'3..'..'3..'...'..'...'.r.'..'gp.'..'.r.'...'.r.'..'.r.'...'.r.'/..'.r.'..'.r.'..'.r.'..'Rich..'................PE..L....YYJ...........!.........p.......T.............x......................................@.........................@....e..D...x...................................0...................................@...............@...L........................text...*p.......................... ..`.data...xi.......P..................@....rsrc...............................@..@.reloc..t8.......@..................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfc80u.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1093120
                    Entropy (8bit):6.520969816214873
                    Encrypted:false
                    SSDEEP:12288:wsaHmJ//R12t2PdMvWxMIQ1zoKyK0ivyHCJKjswl/KY6oQy3AmgVk2YDFpR7m81H:KHmJ+tKtxMIQNmCcjswl/KYh/2YFnb
                    MD5:686B224B4987C22B153FBB545FEE9657
                    SHA1:684EE9F018FBB0BBF6FFA590F3782BA49D5D096C
                    SHA-256:A2AC851F35066C2F13A7452B7A9A3FEE05BFB42907AE77A6B85B212A2227FC36
                    SHA-512:44D65DB91CEEA351D2B6217EAA27358DBC2ED27C9A83D226B59AECB336A9252B60AEC5CE5E646706A2AF5631D5EE0F721231EC751E97E47BBBC32D5F40908875
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R..............R.......R...............l......n......l......l......l......l.L....l......l......l.....Rich............PE..L...(YYJ...........!.....p...\.......U.............x.................................M....@..............................e......x.......................................................................@...............4............................text....n.......p.................. ..`.data....k.......J...t..............@....rsrc...............................@..@.reloc..V7.......8...v..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):69632
                    Entropy (8bit):5.39299110758035
                    Encrypted:false
                    SSDEEP:768:Vo3+LxGdzu9COyOi9aBl+nYRqkaylyQDxiy8+62JdvQ+BLmG1mOAPqAM1o:muQQmfnEqkao4l32Ju+BTYOACAM1o
                    MD5:47D2250AF99DFB7909494DBC493D1959
                    SHA1:92FD54092D53BA3DC753B78D97E31C94D59F73D4
                    SHA-256:54591E8634BF841F931EE38EAC7872ED8474F07CD6642AE0E41B03AA7CFEC853
                    SHA-512:06891A40272A5C4DE3B460709CB077F835374577D76D269A23EFF28C16AFB299B6EF89FFEFFF42684039414DD811F1F34FFA9ED5A9304FE690DC59A0C7E3E4A2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z#Z..M...M...M.......M.......M...L.v.M...6...M.O.3...M... ...M...0...M...#...M...7...M...1...M...5...M.Rich..M.................PE..L...vYYJ...........!.........@...... .............U|......................... ............@.............................................................................................................@...............<...............H............text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\mfcm80u.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):57856
                    Entropy (8bit):6.020393963996313
                    Encrypted:false
                    SSDEEP:1536:p62a7ld3JfS3TuprkgdvQvvjDOUsglIfuOAmjVLK:ihd3JfgTCrhdvQHjDbsnGOAm5LK
                    MD5:14EBEBE17E9C14902688C484A57170C0
                    SHA1:BF0BFADA1AF2F979D3C847AD1CB50C95EFF74928
                    SHA-256:3E20CDC123091703037EA364A5D9BD7FA0F32FB46A9F1403D07630E4E92D0F1B
                    SHA-512:32B64444805B5DA5DC41B3639A0014CC374F605AC2B9C3BB35A5B994ABBF89D131BC7F968E1DA90E51AD03BBCEE3FE0F1D7799EBF96CBA0A0E2B00BFDA1F20E3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_...>._.>._.>._.1._.>._.1._.>._.>._A>._..._.>._E.._.>._..._.>._..._.>._..._.>._..._.>._..._.>._..._.>._Rich.>._........................PE..L....YYJ...........!.........,....................e|......................... ............@.........................p...................................................................................@...............,...............H............text...1........................... ..`.data...............................@....rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7473
                    Entropy (8bit):7.343870165908748
                    Encrypted:false
                    SSDEEP:192:k00jfIJ2hEi1HnNpBjSebyaAqjkKiTbmn6fTf:knceHNpBjTeajCFfD
                    MD5:00692E0B25BE9CF031DF27A9F62046C8
                    SHA1:526671EE9320CE6E2C9665F5A7E871BF57AA8245
                    SHA-256:57D5C1E17D3B003378ACE5418D822C42353F8141380788C095A600DEF44F4913
                    SHA-512:4D7E1C9B2B5457177368D17EDFDA48252E932A89D10C360AA384D40806AC7EBBB1D856617255EE275CF78CAFDF04CED9EF4AFF90E0F63F0B51DEBE090D3728CD
                    Malicious:false
                    Reputation:low
                    Preview:0..-..*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7.....tH.....A.3.a.S...090712085033Z0...+.....7.....0...0....R1.7.1.B.0.1.2.1.B.1.6.5.B.7.0.1.4.8.2.F.9.6.B.0.2.E.7.A.D.F.F.D.6.C.7.9.9.F.C.E...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........!.e..H/...z..ly..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...M.F.C...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........!.e..H/...z..ly..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

                    C:\Windows\WinSxS\InstallTemp\20240930074451490.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2372
                    Entropy (8bit):5.379862999788816
                    Encrypted:false
                    SSDEEP:48:3SlK+5g4DJO09kkKBhZzY09kkKeIzl09kkKzzP09kkKXzY:CltFUXkcLEXkhIRXkm7Xk+8
                    MD5:F1BB778577CFB1E45ADFBB2EAAAD7F58
                    SHA1:171B0121B165B701482F96B02E7ADFFD6C799FCE
                    SHA-256:53B6CDAB4A829674082048606A65111A2D6AC3A1B2BCFB8BE34D8296590D42DE
                    SHA-512:4D125D773A3DD6A0CB755B69053F7D305DE03C3FA9854A87A9ECF504C23C8C37BA3FE533B0CD45762B340E6B8065D33BF7280A76376077FB734EAE52F950249D
                    Malicious:false
                    Reputation:low
                    Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFC" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc80.dll" hash="46fc9af0bb795fec574d619bfd84f019f56debb4" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>JMgFAKGMt+YOD/s362I/Ku+VEqs=</dsig:DigestValue></asmv2:hash></file>.. <file name="mfc80u.dll" hash="1d3d4e3c0689295a042c2834f2336a76ebaa9e4f" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.0\8.0.50727.4053.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7495
                    Entropy (8bit):7.338346154387317
                    Encrypted:false
                    SSDEEP:192:OftfIJ2hEi1HnNpBjSebyaAqjkKiTbGUT33b0x:HeHNpBjTeajClO
                    MD5:F171C36AC2F15DBC2477DDB61F8A422E
                    SHA1:61428860F89D92FECA9C3DB1FBD6F1ED9C194408
                    SHA-256:81BFFDAB9F49EA0CC7EEA7633B89D1381A501F384FB6E2698D6143BA4951CC8F
                    SHA-512:082A163EA730BE9732B6285236EDDDBA458F0821B362E41D74DABE1D4B6BF4B1D45B6411D294EC61EE7340CB4F6B0C9B476015EBE73B6BBBD4A2A66359B3A0AE
                    Malicious:false
                    Reputation:low
                    Preview:0..C..*.H.........40..0...1.0...+......0..s..+.....7.....d0..`0...+.....7......S.-...O.`..*-Vw..090712034621Z0...+.....7.....0...0...,8...0...5.0.7.2.7...4.0.5.3...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........'.7.(...../...3.+J.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.A.2.7.F.5.3.7.E.7.2.8.E.9.F.7.7.F.9.5.B.9.2.F.B.A.C.C.0.3.3.3.E.B.2.B.4.A.D.E...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........'.7.(...../...3.+J.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.0\8.0.50727.4053.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):804
                    Entropy (8bit):5.200075008215966
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+nfRg4NnjiNK+Rg4NnM23+Lg23kIgQR:ciEDJw05g4EK+Rg46sQR
                    MD5:234C7FA9FA9508870A48193422AFED52
                    SHA1:DA27F537E728E9F77F95B92FBACC0333EB2B4ADE
                    SHA-256:E3E7774DBC78DC7359ACFBE3A50DA12215DC99A9FC6E149B4E896984DE181D1F
                    SHA-512:14C8A35CE2E9207CB4452EB739B35305151D8FE13AC33843AB763FC277B8AD526CEC7F8147E64A0E3F4204629C9354BBB38EFB36C830A682AE68C73CFA2F4F19
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.MFC" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFC" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.4053"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.4053" newVersion="8.0.50727.4053"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHS.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):3.7204542319375853
                    Encrypted:false
                    SSDEEP:384:sDNemsol/tAGqyVUIrv9WnWRKJwxV0fwItnFiHyt6S26r81Jd5AJd:sZXsKAGDTrvDzx4wItnFfL26r81nE
                    MD5:EE0A6A73AC52316C3D887A606589EA4F
                    SHA1:9EDB5943D9CE6E246C29B03522F79FA06B1BEF04
                    SHA-256:133AD688D0CB7F4CE9F2E1CFA4A673EB9240304DD9ABC786C14A6DC7E9C60062
                    SHA-512:CED7208A253CD93FBEA53465BCA6E362225F507BAE38CFBC6992AEF6CAADD5455B7FE2787028B528B8F56E55EA0386EBC8FDC852F03B1A4F5C8117E90A80CEB0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...4YYJ...........!..............................6]................................Y.....@..............................................~...........................................................................................................rsrc....~..........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80CHT.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):3.528114454490032
                    Encrypted:false
                    SSDEEP:384:FDNumStwO/tAGqyVB+dvE0WoWRMMUn5xm9za2JokMw6TERPB1ECA:FZHSGMAGDadvO+n5x4pqwPPB1EC
                    MD5:2E73584BB9D05CFBF0DF55305FDE9C1E
                    SHA1:449F8B4445BAEFF78BE14BAFE4F0FD7A7CE037CE
                    SHA-256:10209785E93B3C21B7598F6F36D607C5043B450620BD8995F55FD44DDCCC5A93
                    SHA-512:F319DD55FEECCDF7B0935FBE365ECBB93EA593817056197846E35E1E5676B7645FC8581B8DC7822045EBDE3165CD796D25428BAE10B07DCFC776FED2D480F124
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...5YYJ...........!..............................6]................................&.....@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80DEU.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):3.0911849949462895
                    Encrypted:false
                    SSDEEP:1536:d1AGDh+vTRzesi870vYtNerHI4Lhp0vcsjsr:d1AGDhyRzesi870hLhp0vcsjsr
                    MD5:4BD94B77F2057F62DF566A1825DF688D
                    SHA1:E03F9CD91556CC421AC6104A03AC012F380E5BD9
                    SHA-256:02C4AD9C96C7D3CB362CDE2CC83C5E819F229FD9C769B539AAF6D27891FA8B05
                    SHA-512:534A62A5908DBF46308B2E703D8B15E5FE1B281EB31CC609C392256B48C6C6540F5BD9645A9FB4321587D80919E401CDC7BD3DC2C50956499DF4B5C0C10BB7B9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.../YYJ...........!..............................6].................................`....@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ENU.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):57344
                    Entropy (8bit):3.0507941340431475
                    Encrypted:false
                    SSDEEP:384:iDNXnSkNsq/tAGqyV5KOvNWhWRVBrxiFc+hV9RLNq/HRK/+nnWT59Dl:iZX3s4AGDCOvVVB4V9RLNqfRKGnWHB
                    MD5:D8584C7FB9A1BA8480F9000C1CA1B415
                    SHA1:F8364B57D585FDAAA21F209E895CE50FA118553A
                    SHA-256:42BD5D7FEFD040E549EF07BFEECB2B8AAD45D1F112D56BBC67F3AD3654347D7C
                    SHA-512:B000397457369E461E95682D0463FFBAF83E4771A966D947023A51D218CABDC316BB31B2B189ED014703775D3655AD0C02743F4609DCE08678756B04ACF9755E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...6YYJ...........!..............................6].....................................@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ESP.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):61440
                    Entropy (8bit):3.0968568065158917
                    Encrypted:false
                    SSDEEP:768:QZTQAGDf3v/Uor0GBFCDCLhedUPYVbS/:sQAGDPv/Uor0GBFMkhedUkS
                    MD5:FE9ACE2DABB257F28EAEF57B48F87502
                    SHA1:B63C75AD41B48E09BAE4D1FAA5184E5FFEA89557
                    SHA-256:C4D2D9499F28DEA4FC8197C7F43FA6245120DC9E3B2612F76DFC21DAE44873C2
                    SHA-512:60FAC7B3E1A8E0F067284BA4F028F1A34BBF5328640D9410012283F84C61831B054B89F165DB30083EF7D79EFEA74F6CFAFE461A861B6CB0736A1225D18D6361
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...2YYJ...........!..............................6].................................Y....@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80FRA.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):61440
                    Entropy (8bit):3.1662098361717006
                    Encrypted:false
                    SSDEEP:768:ZZweyAGDSRvf5rkh2A6NTi7e3RAaTaPCeyGdZmBSg3T1SyyyyyyyyyyyyyyyafyL:jyAGD+vf5bA2SCeB0Ug4
                    MD5:C0E106AAB94CCB5FEAF441A1BCFBA93B
                    SHA1:222FB10FECF4CF3CA0D7CF3B72D810E8718CB3FF
                    SHA-256:2FE7F0FAEF4B98B27E39F408FF21C50C06B91F7F24F7B113108EE1D3BA8C19B0
                    SHA-512:282A16C8EF1DB08A600C81D371623F8F64737100EA619BCDAA9408E21FAA7413B3AB7A78C3F3E8D521D3F87F1359F4DBE2DCE2C17D3CD372F8A26DA56C7F816C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L....YYJ...........!..............................6]......................................@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80ITA.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):61440
                    Entropy (8bit):3.103063234993192
                    Encrypted:false
                    SSDEEP:768:uZ0odoAGDI6vaIG57PxtINJ8Il8QcPOCeFO/:Zo+AGDHvaIc7PxtINJ8gIPp
                    MD5:0F404D508B49349332180B3BA274BF17
                    SHA1:2C666BAC190E3E678EC9804303E2AE9FB599094C
                    SHA-256:2208EAFFFD7566238E19A57E0CD54DF364911AC510122B646B3566FBE90101BD
                    SHA-512:4A991A5D8B09BE1BF738E99371744D1696E12371DEAACA4BF7B556CD5D7FC929700990391342D0E50C609A4586A770A9A29E6EDF2660ECE2AFAFCD76901FC350
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...0YYJ...........!..............................6]......................................@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80JPN.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):3.789600767873271
                    Encrypted:false
                    SSDEEP:384:SDNCysmq/tAGqyVVp7vheZWrWRmJkQbXDr10Jh8I2Bb4:SZXsPAGDN7vQ7mJkkr10IIc4
                    MD5:FBDB3DC6A95FFA5293321EA1FA3F5FEB
                    SHA1:CACE5FB2B0D6681276BE122A85140109F9341302
                    SHA-256:0FAC7453FE03DD9707B5326669D4455BD9AEA7C45A59B4C6AD9F461305F70CC7
                    SHA-512:00CCDD5AAA005CEED98500C1FDCC514B3324C132C3D3DE7996A560D690E163E2A1751ADB9684E8E177536ECE4B76E6D2C8CD918E82DB0E4FF00953F6DAFFEB79
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...0YYJ...........!..............................6]......................................@.............................................8............................................................................................................rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\mfc80KOR.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):3.7248175780766326
                    Encrypted:false
                    SSDEEP:384:kDNSnxGr/tAGqyV0/Nv3WBWRlKu/KV0YfmtT2XYm66tHggFK417RTNbU/Ltl3tSM:kZSE5AGD0NvXjriHqN
                    MD5:9DC25A3AE8A447CE7DB22CD2F69C2753
                    SHA1:F00800239CC65FD7FD5AD072EBC5E0BC4EFB7397
                    SHA-256:D61B436654BC7C57A4CB7ED55261CB463C565F67E5CFA2DDF340242EC91B19E2
                    SHA-512:77E8C90515BF34C7936139958DF8175A9622EFA2CDA3169BAF5F6E24999ED7B9424470D24EF1FE9D4FEEB832E12FDDB24DDDE81F17A89873A68CD01071D96CEE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...6YYJ...........!..............................6]................................<.....@.........................................................................................................................................................rsrc..............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7486
                    Entropy (8bit):7.344849450350638
                    Encrypted:false
                    SSDEEP:192:ASGqfIJ2hEi1HnNpBjSebyaAqjkKiTbOUxKKTXg4:ApveHNpBjTeajC1frv
                    MD5:24889A29F3E35E1C4BE8D756D5EB9D42
                    SHA1:1F33679DA3DA36B9D9720C16E4E2DCD5B218A545
                    SHA-256:F28AC29692205DD3A8273062193579A1CB3F42CFFA72A1CD94E453BC281865DA
                    SHA-512:166D81603361F2026CDA5E126824E6DDBD309134C8B95A0CEB362D96FF17B62DA6DD66B4A4D9AF291831530B50FB1B7A86A5DEDAEDC3D5D205949835B4EE8739
                    Malicious:false
                    Reputation:low
                    Preview:0..:..*.H.........+0..'...1.0...+......0..|..+.....7.....m0..i0...+.....7...........?J....{B....090712034621Z0...+.....7.....0..&0....RD.7.6.F.2.3.8.8.6.1.1.9.5.A.2.2.4.B.3.B.3.3.F.A.5.7.E.4.D.4.9.9.D.2.3.C.9.A.D.C...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........o#.a.Z"K;3.W...<..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....4M.i.c.r.o.s.o.f.t...V.C.8.0...M.F.C.L.O.C...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........o#.a.Z"K;3.W...<..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft

                    C:\Windows\WinSxS\InstallTemp\20240930074451646.1\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):5.323698600064057
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ/eiNK+EIRg4NnZvJd+psdQQn+5tEia2v6tFhjkP3mKJKJ:ciEDJdK+rg4XJjCQA2YQE3LwJ
                    MD5:7DC6BCF67B75F04CA4CAAC7EAC8E7A23
                    SHA1:D76F238861195A224B3B33FA57E4D499D23C9ADC
                    SHA-256:7DAC54A5D8AB16ACCCA0ADDDAFACDA6A6F6A76034A4F06834DA344DBCE2FFE4B
                    SHA-512:27948EA6000B008C5D5B4C0A7B92288BBBB7AA0532F73F9AD997AF25349253ACF3F3E830F6FE67716F0CDDEC22BCA66060EC50AC4296BBBB375901BE479DE944
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFCLOC" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="mfc80CHS.dll" hash="8db04669cde95d8330a1e0a80c0b540bc15d4ea1" hashalg="SHA1"/>.. <file name="mfc80CHT.dll" hash="20deef239d4e83755e8df04016a5268c8b73a10b" hashalg="SHA1"/>.. <file name="mfc80DEU.dll" hash="8cd4af170ed5780193cabea33dad05b9362d4677" hashalg="SHA1"/>.. <file name="mfc80ENU.dll" hash="2cd4807c7b40a166c9eaaa75dae7e2d61957e3e5" hashalg="SHA1"/>.. <file name="mfc80ESP.dll" hash="194ce7e794affc14a2901381124fa3602db796dc" hashalg="SHA1"/>.. <file name="mfc80FRA.dll" hash="d0c9d96473b8443777ce9a3bbe2014051c8e2b11" hashalg="SHA1"/>.. <file name="mfc80ITA.dll" hash="b82d1805ff373eb6f6b3f7194

                    C:\Windows\WinSxS\InstallTemp\20240930074451756.0\8.0.50727.4053.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7501
                    Entropy (8bit):7.338965281725641
                    Encrypted:false
                    SSDEEP:192:tRN5NfIJ2hEi1HnNpBjSebyaAqjkKiTbevT+:qeHNpBjTeajCGi
                    MD5:5B4BEE2729F2BAEE6FD9E2B4CD3F5551
                    SHA1:FF7A8894EFB9A761208880F1C219CCC664EAEFEC
                    SHA-256:A7FDFE008C9847F2165399A7D6FD0D1C2DDAE44BDE43A87548389055DC0BAE94
                    SHA-512:7198E23EFB79A5FD6B58A60EA7E73B5ACE235A98F2638F98A3802730F66586863E3F366FAD8814F0DF34F15E48DEDC390B316F1725DAA8DBB3683E09CC7A1726
                    Malicious:false
                    Reputation:low
                    Preview:0..I..*.H.........:0..6...1.0...+......0..s..+.....7.....d0..`0...+.....7.....*.A.?."N.~........090712034620Z0...+.....7.....0...0...,8...0...5.0.7.2.7...4.0.5.3...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........@..s.%.....%r.i..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.1.4.0.0.5.7.F.7.3.E.6.2.5.F.B.9.B.7.F.E.5.B.3.8.3.9.4.2.5.7.2.F.2.6.9.1.5.E.8...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........@..s.%.....%r.i..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

                    C:\Windows\WinSxS\InstallTemp\20240930074451756.0\8.0.50727.4053.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):810
                    Entropy (8bit):5.228351581601747
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+nEIRg4NnjiNK+3g4NnM23+Lg23kIgQR:ciEDJw0rg4EK+3g46sQR
                    MD5:EF6181814A06C7A0DE303A29F7427D06
                    SHA1:9140057F73E625FB9B7FE5B383942572F26915E8
                    SHA-256:19364C927C3BC4021973F0A2DC5A98819A2BF22AA8C3AD1431F0E8287DE53F02
                    SHA-512:73FBBD574F0E777B8003B89FF05D817E361FB49DD7935E074ECB3B729E67A837136998B66E1D9DDB421B5E7B10B82CEAF3CDD514FDE3ED0499A13F0158A6F641
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.MFCLOC" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFCLOC" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.4053"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.4053" newVersion="8.0.50727.4053"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451771.0\vcomp.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):5.518832948641
                    Encrypted:false
                    SSDEEP:768:usPMRLY1I4yOKgDbRzsFTHHnH5iz+SynV0ZL2jmPGdUy/AOMp:xoL8IQKCRiZizjeeLSX5/y
                    MD5:C7532F0C4387FC5C3537E0E21969A654
                    SHA1:5E563ED39ABC367CAF2D98095B5223CBEAC5FC8E
                    SHA-256:3BB2505986C41C1B27B713BADDD2B32CDB54E0CC693AEB4D33C0099EB107AE0C
                    SHA-512:9682AA8D67BEF2C71011754845466AE896971B3ED616359C739BD422E31813438FD84E5DC36B0BDA0CE16A374157FABE76EA7B2908976D7C528E4D2CBB6B7C0F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=...n...n...n.W.n...n.W.n.n6..n.n...n...n.W.n...n.W.n...n.W.n...n.W.n...nRich...n........................PE..L....^YJ...........!.........P.......g.............r......................................@.........................@..........<...................................0..................................@............................................text............................... ..`.rdata........... ..................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074451771.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7486
                    Entropy (8bit):7.34127820252103
                    Encrypted:false
                    SSDEEP:192:mZG1ZfIJ2hEi1HnNpBjSebyaAqjkKiTbOY4V7Tjb:ms1yeHNpBjTeajCwnb
                    MD5:9178AF6A291B74EB7F0374C9573A6F15
                    SHA1:D6640A55B15C125A17BC397CCA9AD1AA52D9CD78
                    SHA-256:D3E19E02E9E3366E40372F11E7E0CD545CC64BCA5C2D750AC5529B9948B725CB
                    SHA-512:F2FACD99DD9DF21F6DDE667357D6019754A052979BFF7CF9E93973C65E42B723631AC5CA6C475402971932F716E4C34D6C121D25B00D7DBB16F7908D56EB3C63
                    Malicious:false
                    Reputation:low
                    Preview:0..:..*.H.........+0..'...1.0...+......0..|..+.....7.....m0..i0...+.....7.........uI.H.G.I]5,...090712035451Z0...+.....7.....0..&0....RF.8.0.A.8.6.1.7.D.F.7.0.6.A.C.0.6.A.E.4.6.4.2.B.9.E.E.C.A.9.D.F.5.B.F.0.2.5.9.3...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.............pj.j.d+...[.%.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....4M.i.c.r.o.s.o.f.t...V.C.8.0...O.p.e.n.M.P...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.............pj.j.d+...[.%.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft

                    C:\Windows\WinSxS\InstallTemp\20240930074451771.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):469
                    Entropy (8bit):5.3378916941220655
                    Encrypted:false
                    SSDEEP:12:TMHdt7IBeBFJ3/3XO53SNK+tKRgVuNnyEbYHqFEG:2dtMEDJ/eiNK+8Rg4NnhYK9
                    MD5:81DF2A720049678568F37618D627DFAB
                    SHA1:F80A8617DF706AC06AE4642B9EECA9DF5BF02593
                    SHA-256:8778FC802A0FB4A199A7FF3E462C8B5AE57688FC8E027F960E01F07C052A0095
                    SHA-512:C0B1700C9103230389E4E281943887592D6B48F00AA973D92F2B36D527D299FCD5861180A5315F04F3C253A7DCBF0326242965170D6FCAF6160946BBA9CA6263
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.OpenMP" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="vcomp.dll" hash="aa2224b5919fc303b3468962ba017facca9ee0c1" hashalg="SHA1"/>..</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074451802.0\8.0.50727.4053.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7516
                    Entropy (8bit):7.341865344004404
                    Encrypted:false
                    SSDEEP:96:K3e2cD743I1DXOTdotwx9R/0Da9DMURgDvboMsz3wM05DavE8zeM0kKgjdoOP+Mb:KO2LIJ22TpBjSebyaAqjkKiTbe45UYx
                    MD5:713760278B6F1FE4DA7168D3DE31441F
                    SHA1:ED33C304D336B1F4839963144EFDFBF7776DFC42
                    SHA-256:9588F2E1EDC7F64F7D173987AFEFC7627FFDFC3484441DEBE5A25D2310D9D49E
                    SHA-512:A0C2980A0C396D5D0ACA464DB0152FEA0C157BEF032E2B9AF7B25D382948C425241466C2496A7FD295B5C6EAA7EF9224DC97917A60E34649D5F302DC7771EB3B
                    Malicious:false
                    Reputation:low
                    Preview:0..X..*.H.........I0..E...1.0...+......0..s..+.....7.....d0..`0...+.....7.....7@.j:[.@.N...u....090712035451Z0...+.....7.....0...0...,8...0...5.0.7.2.7...4.0.5.3...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............JF.(.{..&..O,.}.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.2.A.A.1.0.8.D.4.A.4.6.8.9.2.8.D.2.7.B.B.C.9.5.2.6.9.8.E.C.4.F.2.C.7.F.7.D.E.C...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............JF.(.{..&..O,.}.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

                    C:\Windows\WinSxS\InstallTemp\20240930074451802.0\8.0.50727.4053.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):810
                    Entropy (8bit):5.206284819035623
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+n8Rg4NnjiNK+wg4NnM23+Lg23kIgQR:ciEDJw0mg4EK+wg46sQR
                    MD5:3451ADDBF8F9CCA982B4DE87019D53E6
                    SHA1:82AA108D4A468928D27BBC952698EC4F2C7F7DEC
                    SHA-256:946AB2900F94EACE8A5850D64C5FF45DE80A89863093D70C68AFC5769798C65B
                    SHA-512:D20AB6EBC8BCE2DE07D228399DD2F0E7594BD69ED63F2535C6F09789628D099465EA49A03C45122332E8805085F586006297364DB06F3B630F4018F18E3A250A
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.OpenMP" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.OpenMP" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.4053"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.4053" newVersion="8.0.50727.4053"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.0\8.0.50727.762.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8355
                    Entropy (8bit):7.399558553058028
                    Encrypted:false
                    SSDEEP:192:MjDVxL/CldolM3bd59MYbz2uT+InugbyaAqjkKiTbW/J/:83LCcUJvMYb6uT+qugeajCo
                    MD5:29C0897D5D709A2394960B26999126D0
                    SHA1:56501EDA82ECF05C4A90B035BE62B422A24C71C3
                    SHA-256:DD72F7AB2DEF5F75F58D01B24643B308750C38685DAAED50BCDDF61C18460DEE
                    SHA-512:75FB603D58105F0A2AACADE320E2EAB212DD6B3D6FCBDAB09CA137D123CC1DECB88C848B81E017BBDDD41D9591900FF723AED90FB0D6166E8C62E3C14D39166E
                    Malicious:false
                    Reputation:low
                    Preview:0. ...*.H........ .0. ....1.0...+......0..q..+.....7.....b0..^0...+.....7......uU....L..F&.K....061202065436Z0...+.....7.....0...0...*8...0...5.0.7.2.7...7.6.2...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........@...@......_...."0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.1.0.4.4.0.9.3.0.C.C.9.9.4.4.0.9.E.9.2.0.D.9.4.C.7.C.4.5.F.0.4.0.5.D.6.0.4.2.2...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........@...@......_...."0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......{0...0..-.......G....RFC..mH.1.0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA0...031204000000Z..131203235959Z0S1.0...U....US1.0...U....VeriSign, Inc.1+0)..U..."VeriSign Time Stamping Services CA0.."0...*.H............

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.0\8.0.50727.762.policy

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):800
                    Entropy (8bit):5.192462113683958
                    Encrypted:false
                    SSDEEP:24:2dtMEDJ5iN+nhQ56g4NnjiNK+hcg4NnM23+LJ23sZQR:ciEDJw0hk6g4EK+hcg46HQR
                    MD5:A785CE93C7468DBCDFA7BC379F8FFDDC
                    SHA1:D10440930CC994409E920D94C7C45F0405D60422
                    SHA-256:3A131923C7403C1EEF33B59FDCA57D8272549B7912D2B522FC8A4C840CBCA735
                    SHA-512:8E514E11887F6A198756F4A4B1A584E0A337ABEF90F1A9330436E21E75CD5FFFE7E90A80424018C03EA55AE43758FCFA16F5A7C266D5476CE8F985F76CE5CADA
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.762"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.762" newVersion="8.0.50727.762"/>.. </dependentAssembly>.. </dependency>....</assembly>..

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcm80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):479232
                    Entropy (8bit):6.031745108754355
                    Encrypted:false
                    SSDEEP:6144:9Rj8Tfo4zrcq2FXOth6wsjb2fPzatjLhQeRW86ODl1KWOjPQeH:9So4zATQsjyWRhQ+W83D/6QO
                    MD5:CAE6861B19A2A7E5D42FEFC4DFDF5CCF
                    SHA1:609B81FBD3ACDA8C56E2663EDA80BFAFC9480991
                    SHA-256:C4C8C2D251B90D77D1AC75CBD39C3F0B18FC170D5A95D1C13A0266F7260B479D
                    SHA-512:C01D27F5A295B684C44105FCB62FB5F540A69D70A653AC9D14F2E5EF01295EF1DF136AE936273101739EB32EFF35185098A15F11D6C3293BBDCD9FCB98CB00A9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-./.ihA.ihA.ihA..g..mhA.ih@..hA.N.:.lhA...?.hhA.N.<.hhA.N.,.fhA.N./..hA.N.;.hhA.N.=.hhA.N.9.hhA.RichihA.........................PE..L...."qE...........!.........@.......T............L|................................2.....@.............................c ..D...d.....................................................................@..............................H............text....x.......................... ..`.rdata..S[.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..P$.......0... ..............@..B........................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcp80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):548864
                    Entropy (8bit):6.402420828464982
                    Encrypted:false
                    SSDEEP:12288:Q1HyurvZ0JPjuTtSu86th1n/hUgiW6QR7t5j3Ooc8NHkC2eo:Q1HyurvZ0liTwuhtjnj3Ooc8NHkC2eo
                    MD5:4C8A880EABC0B4D462CC4B2472116EA1
                    SHA1:D0A27F553C0FE0E507C7DF079485B601D5B592E6
                    SHA-256:2026F3C4F830DFF6883B88E2647272A52A132F25EB42C0D423E36B3F65A94D08
                    SHA-512:6A6CCE8C232F46DAB9B02D29BE5E0675CC1E968E9C2D64D0ABC008D20C0A7BAEB103A5B1D9B348FA1C4B3AF9797DBCB6E168B14B545FB15C2CCD926C3098C31C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...."qE...........!.....@... ...............P....B|.........................p......u.....@.............................L...T...<............................ ..L2...S..............................Pe..@............P.. ............................text....;.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.1\msvcr80.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):626688
                    Entropy (8bit):6.8397070634061174
                    Encrypted:false
                    SSDEEP:12288:6Fqi2VC1J7Zs7a5zchr46CIfsyZmGyYCqeC:6Ui2C1JdoiEdmGyYu
                    MD5:E4FECE18310E23B1D8FEE993E35E7A6F
                    SHA1:9FD3A7F0522D36C2BF0E64FC510C6EEA3603B564
                    SHA-256:02BDDE38E4C6BD795A092D496B8D6060CDBE71E22EF4D7A204E3050C1BE44FA9
                    SHA-512:2FB5F8D63A39BA5E93505DF3A643D14E286FE34B11984CBED4B88E8A07517C03EFB3A7BF9D61CF1EC73B0A20D83F9E6068E61950A61D649B8D36082BB034DDFC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...8"qE...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..H3...B...............................F..@............@...............................text...*'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.1\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8335
                    Entropy (8bit):7.405582810794059
                    Encrypted:false
                    SSDEEP:192:80XxL/CldolM3bd59MYbz2uT+InugbyaAqjkKiTb2LQ82:PBLCcUJvMYb6uT+qugeajCQ2
                    MD5:790ADAF5E825415E35AD65990E071AE0
                    SHA1:E23D182AB1EDFEF5FD3793313D90935FC034ABC8
                    SHA-256:88B03FE13D2710AD787D5D96CD0E5CBEDA3A61C2A0A2BDC0C0984A48365242E2
                    SHA-512:050BBAD3122CD0627ECACAF3FB24EBF1E1845F209C33ED6607B282D9DCD4F5D99E345DF3A99E4344AF2ABA6E7923C8483E8D5A8D709BF97F3CB37926D975FDAD
                    Malicious:false
                    Reputation:low
                    Preview:0. ...*.H........ |0. x...1.0...+......0..u..+.....7.....f0..b0...+.....7..........MfN....O.....061202142259Z0...+.....7.....0...0....R2.E.1.2.C.6.D.F.7.3.5.2.C.3.E.D.3.C.6.1.A.4.5.B.A.F.6.8.E.A.C.E.1.C.C.9.5.4.6.E...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............sR..<a.[.h....Tn0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...C.R.T...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............sR..<a.[.h....Tn0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......{0...0..-.......G....RFC..mH.1.0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA0...031204000000Z..131203235959Z0S1.0...U....US1.0...U....VeriSign, Inc.1+0)..U..."VeriSign Time Stamping Services CA0.."0...*.H........

                    C:\Windows\WinSxS\InstallTemp\20240930074613390.1\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1869
                    Entropy (8bit):5.395078491534145
                    Encrypted:false
                    SSDEEP:48:3SlK+hk6g4u09kkK23zWO09kkKFzv09kkKldSzY:Clth9uXkd3COXkgTXkX8
                    MD5:541423A06EFDCD4E4554C719061F82CF
                    SHA1:2E12C6DF7352C3ED3C61A45BAF68EACE1CC9546E
                    SHA-256:17AD1A64BA1C382ABF89341B40950F9B31F95015C6B0D3E25925BFEBC1B53EB5
                    SHA-512:11CF735DCDDBA72BABB9DE8F59E0C180A9FEC8268CBFCA09D17D8535F1B92C17BF32ACDA86499E420CBE7763A96D6067FEB67FA1ED745067AB326FD5B84188C6
                    Malicious:false
                    Reputation:low
                    Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr80.dll" hash="10f4cb2831f1e9288a73387a8734a8b604e5beaa" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>n9On8FItNsK/DmT8UQxu6jYDtWQ=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp80.dll" hash="b2082dfd3009365c5b287448dcb3b4e2158a6d26" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xml

                    C:\Windows\assembly\tmp\01JUV2GQ\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.198816622686052
                    Encrypted:false
                    SSDEEP:768:hhfokZz0thsPWhneWFjtygCFnH0z3EL5oZQNf:hhwkZz0thoWlljrInGELuZQNf
                    MD5:5EFEFCC2A87FF3DBF0E99CB063EA2589
                    SHA1:8A38ECD5357873DE42EB4613842C2318DBA0FE1C
                    SHA-256:26E0CC86042075A6E42ED28E45E3BE2016EE27533FC73083A50F7637D1337034
                    SHA-512:824C74AC4F66CCADB6974EDE57584E2742F1BDD30337A33C5C56EEC88DDE47F294A379979D19A2878B0D2262155B4CCE0B259006684C3C1CA47DC7F87191813F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... .......... ........@.. ...................................@.....................................K.................................................................................... ............... ..H............text....u... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\0S4IETS5\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):5.077315695202532
                    Encrypted:false
                    SSDEEP:192:lAirVKrLv542eygAG4Yb5bKopYNMscXSP28e0huS5RGvuz4:lZrVKPHelAG4Yb5Ooscq2MIEGvW
                    MD5:F6636F5FBA961A0D2D5DDC0898FB7151
                    SHA1:8906AE3972FB6824F89C6A99FD05CF7AEC9922E8
                    SHA-256:127C1AB2FDE3C8E22DEBC59475EC31B447A947D41B08F985EF3238673E4697E6
                    SHA-512:256634E03374CE0656C2741540605D87A16B8F18D4205ACF15318E747BEABB43D5695FDCB621EC307832C010E640735A6EB24FFA761BA126EDF599D37849B6DE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........E... ...`....@.. ...................................@.................................LE..O....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......<C............... ..j"..P .........................................n...C.....>.kT..u...3.A[.h.'(@.Xie...H.;g.M.....M{.."...w.I.8....)...e.p..b'nP.E.K...P.v.<..*...^..........\.;..H.>X.f".............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\10GJAD92\System.Data.SqlServerCe.Entity.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):231280
                    Entropy (8bit):5.630305867257215
                    Encrypted:false
                    SSDEEP:1536:fQvdjF+8NvPVc4xe3fILpE610btFpfqi6Mw7vRAnaur9rHUe:fQRP3Vcxqm618FpqiGAaur9o
                    MD5:7926DFA947540661B2CC1A1F687F6EFA
                    SHA1:6E62386FDE80AF9B9E29B6B2461D016B1E7108C4
                    SHA-256:4499D32DB4FD8CDF981EB9D255A7B3DA2019A5B544144033C7B6C42725C540FC
                    SHA-512:EDC2DDEA636EEF47A506F106E3228EA8CFF4633696B300B67A521C455E9EC57F45A9BFC792396BB20C9F36B89C0B9B4AC456E3A0EF576A9AF8FACDF4397DD416
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<;tK...........!.....@... .......W... ...`....... ...................................@..................................W..O....`..`............p..p............W............................................... ............... ..H............text....8... ...@.................. ..`.rsrc...`....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\13S0U6AR\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):3.484197650090536
                    Encrypted:false
                    SSDEEP:384:xz93trVVguRefjy5I55Tmhb8CxMBTIOT+XbpzMYT0IKNnpE936gF1DCiZxUv3FWQ:1onpE9NFdCiqVgyD
                    MD5:759D2DA82C964CEBF82310AE433E67A5
                    SHA1:DAD86FDF0CAAD78E034EE4536D1B41A41F1C6774
                    SHA-256:83876F03F475AB633909B16FE94A369787592CD6B5AB4436B92CE22CF89FE59B
                    SHA-512:FAA87E75F2A73D62E33334E1D5868BD2BFB6C5249A0D6E4BEA54886829C9579A6A91191B7EE549EC676B5D976D82F54A8FB3DFFDF1782137277FE24315EDC7DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.S...........!.....@... .......X... ...`....@.. .............................._.....@..................................W..S....`............................................................................... ............... ..H............text....8... ...@.................. ..`.rsrc........`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\1AELXKO8\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):3.8835654670470685
                    Encrypted:false
                    SSDEEP:768:gKbL1wAOKvUQoi6zzc/cQTQjfvn8wCIAiz4BWIQceh5EDp76NFfAgsl:KA7l
                    MD5:31F626A948C26FBD808E6DCF3A3576C4
                    SHA1:A01E3043A5DC77B97868E88F31935139AAF58269
                    SHA-256:016C8E629D16D5DE46916CD3E04D319B33CC62852E313413A5307AED75B93923
                    SHA-512:2BFC687E92D14BDC0D8DBC1F81EF11884819AB84E2DAB074E30D193B8E708DCC45FF4B058F67957C11001FF8C0650E429FFDFE3E7DD5B500C112D5D87611A2BC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....P... ......>n... ........@.. ............................../.....@..................................m..O.................................................................................... ............... ..H............text...DN... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\1CKS4AMX\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.636038723542799
                    Encrypted:false
                    SSDEEP:384:AYYVEw6tnBNo0PMtzq1MTkB+YWN57l3yVSczgemHjL8BDty8mlL3dQcKIqJCOR//:5Yuozq8eATtQci/Flk9Bs7
                    MD5:56B66712E4CE4B4B5ABD8979E963F242
                    SHA1:171179AB7280D5F09CB1789CB0CEE6F3B0A9CD07
                    SHA-256:290815F32BB63A09C627D3B01358AF0FC225D104DB8FC80687879763D5896748
                    SHA-512:646B17E83D7F35EA76CF2EF77CD86DB5F44A5538A25F7AEAC42A29199EC93D0E288B51E4CFA502E9F5F855F93ECACA6AF68B06D0880F9911BBBDF77B037CC224
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ..............................;.....@.................................l...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\1LOQFF02\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):73728
                    Entropy (8bit):6.181606803329701
                    Encrypted:false
                    SSDEEP:1536:UFvUyqFmCCFTU1AfafvdhWLLEDTYZJqz5JVkT7:UFvqFm3T1iHb4QTYZJ6JVi7
                    MD5:D5B6D445F80968F3F530652CEBFC6637
                    SHA1:9FCD4D61F2D1354392EF9E199F52667F8E5F4142
                    SHA-256:3C1CDEA840B4865EF9C40678103978D0B336024C9A8D2B7C4931F956AD615657
                    SHA-512:DB02C37B6B79680DA105F69AE6F6A9357F41685D680C802490C0A2F10F4A319A236FB519B092D181CE0D028A32DCE9FE5D90FCD5B4B9A7D977539C632D394730
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ... ....@.. .......................`.......p....@.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\1T4IL8UR\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):57344
                    Entropy (8bit):4.340841033200829
                    Encrypted:false
                    SSDEEP:768:lYckKCcyi7oC4phnbh7K2NQ75Lz6zi4bvVMK/JKhhs5AcbycIMcg9Uph6rklUhk8:lYckhcNoJvnVMurkwQNUUHs7
                    MD5:B92B1B93FAF2CE647B7A12F928C4A983
                    SHA1:F8A41B2D470A9358069F52A0E5393BBF9C982FE7
                    SHA-256:44ACC1374E9AFC21A512A80C70E7A76856B13B429B9F80D543E6382CC528217C
                    SHA-512:1B796795324B69D153791108FB88B38E3B54BFE1071001DE1ADD2F8209B878CEB493DC70B2EC350ADF2A6C634045AA0AE7D89063C5FC5FD6EC5CB973A578CA2E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ....................... ......qD....@.................................H...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\1VZJ83VX\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.017895428846753
                    Encrypted:false
                    SSDEEP:768:JYHbt/IPPJuSIfSnjx2WpbcicTQutGeGEN0C8B4Q6s7:JYHB/IPPJuSIfIjZwGV6s7
                    MD5:3086811F5551669B558BA9CC3C94D3F1
                    SHA1:AD5765F483656C393F74F88B2DF1B5913D9BE7C3
                    SHA-256:570506C1BA7CEDE2550E9EB314377E187D35A1439FFA040ADC0A6FC4E69584FE
                    SHA-512:F5F63F8C37ED49FD3B237A0448E770544396AC217036C00613E825C95FC91674B9BC6F7D9D85D75FA5E0BF76125C8F8566EECEC428E018D69F5A8FB9B0519069
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......n.... ........@.. ..............................P.....@.....................................S.................................................................................... ............... ..H............text...tr... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\2F3KB36U\System.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):296816
                    Entropy (8bit):5.856217966102807
                    Encrypted:false
                    SSDEEP:6144:wat6IwKl/oz2K2f0Ej5gM46OzF7WUfCCTjmr0MoqZDAAjo1LMSfGPMy/Krr0tvz9:wat6IwKqyOLpGPMXQNzVn
                    MD5:16FCECD214B4FC9080C0B238AEF4CDAA
                    SHA1:F249E077F42D40533F72F681051D94D2623D8CA1
                    SHA-256:87764266DE6B60491D7B814673F7A93E4D09D4385219ADACC526D145AE31698E
                    SHA-512:FF0B0573DC3FDF705C514B2ADC30D9A2822387CB3290025E3B2FB5B3453599DD6689D6D0AE7E3B0F5FF4CC918D1E63F1A861C7B61C14C22B50AE0F805CF62A55
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1;tK...........!.....@... ......^X... ...`....... ...............................L....@..................................X..O....`..p............p..p...........tW............................................... ............... ..H............text...d8... ...@.................. ..`.rsrc...p....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\2K4E0C4U\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.695495336308435
                    Encrypted:false
                    SSDEEP:192:j5vemKj0Cc4nE5fDpF7deOvefKMaZ2pWLDLAY4P4:j5IjU5rpF7deqeSMaZ2pWLDLAYQ
                    MD5:8665859F07913698E84B383640916479
                    SHA1:D6445CDF3FFB762756FC2F9A26B998FC682A7329
                    SHA-256:8C120F032097C66A8848D78AA85CF6FAD6DA526A8E5B511078E2E82674EC4FCB
                    SHA-512:3D78A498F78A2E2AD6D30877417D8A0623E88D5FF5C1AEB522002D6D495A8CD587E41DA1DC748950279634F21246CA6FAC2901F94BB829F328D5721133F48034
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................^1... ...@....@.. ..............................U.....@..................................1..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@1......H...........D............ ......P ...................................... ....Z.}....(~kl...IG:....s'.R..P.^Q..S....4....-.ji.L>.{t.B.H<...8>..]I.J..C.%./.WTbA...I^.z.$A...........>bo"..<...2.p................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\2ZQM54W9\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.86263720568687
                    Encrypted:false
                    SSDEEP:48:6c+FJfKGp3ClR4XfoDC36hfMl+Yb2LcrzxHrDfgt:oClR+RKhftJytLr
                    MD5:1D3E9F5357BC3EAE7175C70B94DBA5FE
                    SHA1:BADE2200D807EAF744A1ACAD249C55B66242FF4A
                    SHA-256:DEEE56C28DE35A2B0CCF390930DF8CE14AFFE9B35DF1D9791235A19F4DE08E05
                    SHA-512:3FCAEA4DE9800BEE5F161AC1BB4BB5C3583F2401BD8ABBF8C27F4EA1495BAB30BE5054E0218B8D591CD760C82D7CB8771BDBF2EC5CEB8CC90E64EA2041F71691
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................>'... ...@....@.. ..............................(l....@..................................&..K....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ '......H........"..T............ ......P ......................................U..[.?D..?-O.n..aZ_.P.IC.fR[..v.Be.>.r......yl.0......(...LE....|O...p...)b.[..8D.M..`..9.gB...........*..9.8t.8QH\.~Y..4.................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\2ZTAKVG3\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.525444313711425
                    Encrypted:false
                    SSDEEP:96:PPwdacRnfm/Dz/OCcmnmLzx5vGpH+PrRVLAcwahWU3o6oB9Eoow:POfm/2Ccmnmnx5vA0LAcwaD4
                    MD5:8DDE32767803E18DC6BEB6F210C91A85
                    SHA1:01555411B2AEB470BCA275CFA38564B806D6AC60
                    SHA-256:E7E0A5AC54867990EFA6599B2FBC8375EA557CDBD502F7F8467565AB600B5CA3
                    SHA-512:6CA8FB2DDEDCD6BF20BBC9FA0C7EB49512D848B6B5926FC23DD75B9FFBD1EEB3997B0CA9F9F456212A526E4AA28BB5EA0C1070FC399890E2B02C16CB8318C99E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................^-... ...@....@.. ....................................@..................................-..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@-......H........*..D............ ......P ......................................U.e.h..).L.G.:....).N..w.\_{'.....g..}..EQ`.1.)........j..^..N|..K.+.0.3...."...E.....9.Y.w..@...n<.v.....P....T.N......I?fJ...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\30N3WX19\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.202437759398213
                    Encrypted:false
                    SSDEEP:768:RHOYv9PBHilLmVVTMkdhariYU++Ek3HnFm3U+s7:RuYFPBHilL8V5aDZk3Hnas7
                    MD5:40B64F0789ADCCFA4993B3E2C7DAAB5B
                    SHA1:281BA8B3EB4FDE3EF29747C47CB7B32C79651026
                    SHA-256:70DF29F56324F5F1C47756820B5A66487D753F2A00230BD072374C038C2A56AA
                    SHA-512:314971A4E9C68CA6197CE0656B4D26544DE10709DD269C493A17AE67D8A3748BC628653AC6346A4032D3EEF0DCBA472BB1B2822FFA3C42A6ACE5C09B670415A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ..............................7.....@.....................................O.................................................................................... ............... ..H............text....y... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\3GW8YO88\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.059886429915149
                    Encrypted:false
                    SSDEEP:384:N0ohVzx0g5bVg3za5rSc0LDekT8PbbD5CnLIVTFYGf9Rv8V/B7leUdBFEs0sfsOt:/hfF70Oxf4Fd/biHxj3cSkyve
                    MD5:9D07FB649D4D92D04E9FD139244D8DDD
                    SHA1:9AA2178048DB5ADC001986DD06FA901A473ABE59
                    SHA-256:1ACA61DBB3FCEFFA5F758A375948A0E1F97D58E0596CCDA39B34DD7B36C5AF5A
                    SHA-512:D3660E8BFF75D1442D119EFC35707C63B9D88AD5124FE71D5BDD5038919136B13A188003D1BBA0A8BA1F79A03D9646370813E3E59F7A50F02D2E9736EEFE4376
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.S...........!......... .......... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....s... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\3HY15T7I\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5120
                    Entropy (8bit):3.8470426251111713
                    Encrypted:false
                    SSDEEP:48:6VzDJfkOJUU4Wr43ClR4Xfo4zhfIl+Yb2LcrzxHrDfgt:AqUR8ClR+hhfRJytLr
                    MD5:DB3A415ED16D295DEC85E3B2C8737DA4
                    SHA1:BA85B47780F627D6619796C44E58B1DA2C461E98
                    SHA-256:F571B8CB4AC98323EAEAAD43B801D2D4C445FA38B5FA75F46B536C1272F0E068
                    SHA-512:58B863491F461096AC6650B979FF5AC1BB6CEAC92BB5C331730521AD2397B99BC928790DE9803661AE382B00AE5598E931C4F8227BF6F3D59A46FEE7D23E5EA0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. ....................................@..................................'..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................'......H.......P#..T............ ......P ......................................Z....w.`..d.O........':.w.U...Inp.!.</@.....w..$E)......ki.uT..C..'..DE...........Le$..E....W.q..J...U.,..>F....u...>...3a.#.{..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E.4.

                    C:\Windows\assembly\tmp\40ENG36U\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.848922682335159
                    Encrypted:false
                    SSDEEP:48:6nlJfafb3ClR4XfoWVlhfYl+Yb2LcrzxHrDfgt:fClR+5lhfhJytLr
                    MD5:A586705C3C3430E0BE93A31F62F62952
                    SHA1:AFD612BF671C277947C8B3FBC6DC1364B6B7586B
                    SHA-256:C99F4F57765A661A81C27166D5586FC5646D3BB722656A022478B54411DE37AE
                    SHA-512:89BA04DF195ABEC2CCFCEEC81456125E932261F8A275689AB0F5FCCE40E957C1E4E16785EDEAF39C206F4CD0660731B1C0662EC0E80B1FA7F58C2863DA971AC5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................N'... ...@....@.. ....................................@..................................&..W....@..@....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0'......H........"..T............ ......P ......................................L*..G.!(Aj....0.Id0kX..k....G6.t. .aNd1f.(...~b...E....{.z..x&..Df......f....LmV...p.'G.p...A..G......*..6ejr.e...8~=.4...z...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\4AWW8LP3\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.182976240267102
                    Encrypted:false
                    SSDEEP:768:WLPhyvkXYxUVa4dZRj03j4fAlkBUiixL2idlHpZE2O/aqr:W7hykYCVa4dZRj03jNk/kHHpZE2O/aqr
                    MD5:68EE912A44B5BF206C7EECCC4247C7AB
                    SHA1:2874FE61B72E50570B98C34176AA84248FE9E084
                    SHA-256:3A9CFDDFA49B51DB136AFA71C57AAFF37CDC7C0DEA9EEB8864FDFF9EB07F2148
                    SHA-512:EC8B1B5A862E80579AE381934BFA999334039B9619AFC7D9EBF43E3283C382239DD2FF286F63AA18DA064B8A47A4F34F17DB7C2FB105797585C8D77AA1573219
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ......>.... ........@.. ...............................H....@....................................O.................................................................................... ............... ..H............text...Dn... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\4JWH5PWK\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.443304945839707
                    Encrypted:false
                    SSDEEP:768:NhfOOsYAB+Nw8PM2sf7wf3Mi1PxicuGWQQF:Nh9sYAkNwXhf7wf3Min0GWzF
                    MD5:26329C4324B36B7BD528E3B9F4759F54
                    SHA1:5D9F16F575319923F47211F1E40F8415E81CC301
                    SHA-256:7DB98EA63C9B937905F323BE938642096B0CFA1CE5945DA61B2B45530502E48F
                    SHA-512:0A8D81B6498E4E99ECDF8BFAD33C35CDFF953F34669F594BC3F0122FA5B47589EF844F0CAB03870106DBFA7640614922151EFAF4757F7C639CD588C0F0713D32
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.S...........!.....p... ........... ........@.. ..............................&.....@.....................................K.................................................................................... ............... ..H............text....m... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\4Q5PEM8P\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.864266232993376
                    Encrypted:false
                    SSDEEP:96:gEVioO5ncpSMNMdzZLWOveyNp/gaimOVKcYWIEN7vYih3U3o6oB9Eoow:RW5ncpSMNMdzAOv5NhrlWtpu4
                    MD5:1BD0A11A54996C05178F6858F3C9E981
                    SHA1:D0BE4758700906F78F67D64540C0E86C7FC978BC
                    SHA-256:CC45A447D80E02CEE2639215EE7848C634A3408BDE1D1C622E13674306B7DAAB
                    SHA-512:32891C083D707D4132B6837ECED37B3D0390A2BE41355A95A1CD841161232E64314FDAC00E600417FB26F5B3344CCD06F9F3FDFEFD878759643ADE27E296C431
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................0... ...@....@.. ...............................Z....@..................................0..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......x...(............ ......P ......................................-.i...D~.,p..m7.~.LVNv...+...}i'%...H......5..>......Jw.....k...dH..|..N..Th.......K5.s...J?Q~.r....|.<9,.J..m..[.K.@..................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\4W184EXT\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):4.341553223836884
                    Encrypted:false
                    SSDEEP:384:NhVzx0aToYAIQ/7AZ354R2iklfTuK6L6CVZkCam6+8K9xPVmQ4yqYLcsVs3lsVsQ:Nhf7z3eam3OyzLcfg0PM4JUxd
                    MD5:E72FDE1A960332CF3B7460260F682604
                    SHA1:9068222761F4FC7EC20459F0B84FE90338BD77CB
                    SHA-256:1EFF3042811131A71A207543CBF7A714C3FD2ABF6971DB1C1D2F3C5DC5F8E662
                    SHA-512:E112C7044D35C2C0546FEA01A1212A25634997181EEFCCFB798CA91241B06660635B030CD8943053240F6C0055EAE760DB0CB8212E48E7521A4A6D1A08C4FAC8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ...................................@.................................@...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\51SBOTZ2\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.8552583854222524
                    Encrypted:false
                    SSDEEP:48:6pFfXJfeE0cus03ClR4Xfo9S0hfMl+Yb2LcrzxHrDfgt:+fIEKZClR+d0hftJytLr
                    MD5:A96EE8766982191C2861CBC2E149C0D9
                    SHA1:1A46E9AE644076B000C40B0259737B0DC126B674
                    SHA-256:7F013AF2567B6EB1D05FBFF1268DA1D27E1F570AF83E67F2A581687C956E05BB
                    SHA-512:A581206F1722C737B40135850AE75466B027A892367CE3DAAC46D0B02D4C528A7BE232812ECC2EF468A6AB8FDF7FB2BEDA473A43B88A90A4B241BAF91F289DE7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................>'... ...@....@.. ..............................4.....@..................................&..K....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ '......H........"..T............ ......P ..........................................~S.|.J....r..@!.q..xK.....>..uHa...0XhF.q..0J#..H.x....I...@...<*K..i..@U.:e.@8E........Z.u.k..?.W...X.RA.`d....[aa...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\5CRZCV7K\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.2391972855814
                    Encrypted:false
                    SSDEEP:768:F+vUj3YpTyt0o3paRUzN1WvVb3S6pu5JunU5z2UkfzTyS5s5J/IDb:gvUrYpTyt0IptN1Wtb3S6+uoks5JgDb
                    MD5:C50070FD2CB016CD5A863E02A983523F
                    SHA1:4D3AADF34A93A565798407CD3811D14E0F339D7E
                    SHA-256:8C6E7B4BEB48990D43F31E82F8970DB9FE5A9AE1F8EAC9920E0EE16797B8CF40
                    SHA-512:E9122389D0B4A97EF29FF03E7A5B396DFA17588589690A6B4A26EFBCD7093A772525A74B3D8C6379661FF7E6F90A6C8F6EF907F57619B6D89524D3C9D1B10779
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@......`!....@.....................................O............................ ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\5H81AJBH\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.606318968144425
                    Encrypted:false
                    SSDEEP:96:wqzmXViA9P5PclM+MdpZct0nzZ71Lj/1t5X1p3MucozM978h/AU3o6oB9Eoow:wqz+l5PclM+Mdp20nd7Rjtt5lp3MuQ9n
                    MD5:4B2F4770CEB52A1BBE9B4FAA0CB16D1C
                    SHA1:5E6BDCAA9ADA7B7EC44889409262768EA585AEDD
                    SHA-256:E77C6658AB82DD2FEDE838DC9BE5DA787223A31C2368F41CF66E6D11CDE66B1F
                    SHA-512:A4E88E96202545060455C57F26E82727DD948129BBCC75E0BD5695C27A7BF3DFEA18FCE246C9A0C1C6C2B1B97960A5F9D9C3E0DFECC07F602BF70A3AF9CE82B1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................./... ...@....@.. ....................................@.................................t/..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......L-..(............ ..{...P .......................................;..`J.......}..d..8D.Wzk...U}O.$t.........<..JB...ao..J....8..._)gb+...e........`...C.?..a. 6.. g.o.A"'.1.^.B.xvN.~..z.0...nw..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\5MHF02JX\System.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):296816
                    Entropy (8bit):5.856355922703588
                    Encrypted:false
                    SSDEEP:6144:4at6IwKl/oz2K2f0Ej5gM46OzF7WUfCCTjmr0MoqZDAAjR1LMSfnPMy/Krr0tvzZ:4at6IwKqyPLpnPMXQNzMm
                    MD5:85816EAB04B6AE8EB154C962E32D5AC8
                    SHA1:7293CA01C5F91FD637F4EE814AA5CB8B0EC584A3
                    SHA-256:CA059CEC59A78539B8534C6BA6F73E37FCF9931E2085070A0681814E3E332DB7
                    SHA-512:87677886F11A21AB0C745AFC4C6F1887EB88A6D426EF5C105B6B30370388D7F026B886CFAC8A06D2DA735102731A748BC173F11DDA0985220C6C9194ABECE58E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-;tK...........!.....@... ......^X... ...`....... ..............................49....@..................................X..W....`..p............p..p...........tW............................................... ............... ..H............text...d8... ...@.................. ..`.rsrc...p....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\5Q78957S\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):12800
                    Entropy (8bit):5.252946520141614
                    Encrypted:false
                    SSDEEP:192:EtirVKrLvQOzDYJYfEnOhhUpVJekJvTcobo0Hnk6rvSp4:TrVKPpvYJYfEnOIpVnJrTk6rvA
                    MD5:D7E69B0E98C1C2E02B64C73BDE4712BF
                    SHA1:0E6FEE23F0CEDC6A4BBC8FF2044EEC6795D7B743
                    SHA-256:A98CD587B35F30FF4BAA546E86653F9ACEA3BE6B98630D4D64850F8A291F2551
                    SHA-512:D1C306B710477B163D81CD8ED0266535587D2EEEFC8D53F3F445455215889425CA46B61DBE70E3CAEE0E1FF479B5CF068E0C4218A7F5F0DE0B08750B60370FBC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....*...........H... ...`....@.. ....................................@..................................G..W....`............................................................................... ............... ..H............text...$(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H........E............... ...$..P ......................................4.].Ks.C&..r*,Xb...}:..slD4#d..O#.G........s.\u.gc?r..?.6_..N...SL.1._.`.p...c.o@.&....(!....._..[I....h...$...s..`;.S$.$.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\626GTWKH\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.25008435860279
                    Encrypted:false
                    SSDEEP:48:6Mp9rI25eYsEnvLiR9xnFf/5gx81h7hmLvXbro1pOor19E3Yo/gd:DdH5eYxnvgnJCmh1U3o6oB9Eoow
                    MD5:3F662D003AA2DCAC2CC6FB0744E85044
                    SHA1:ABB6B17828CFC810EE91865FF4780AF7624EA306
                    SHA-256:18ED18C812224159E1EAB0682477667EF05B8C9A0DB320E4EF1B814CA4826BCD
                    SHA-512:864E6231A18FDC21D19BAAFDDC7C2A7DF1B665DB04C9B9EAC60CE05E5CDE7FD42889797C9941638E231D1FFA83A40E174B8DEBB6A536F46F171F572C7AD063D5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.S...........!.................'... ...@....@.. ..............................Y"....@..................................&..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......|$..L............ ......P .......................................^1.^.8._q.......p.......T.z._....i!.KDs'..H..FnW.;.Y_..JP.@...t .t[....,O..*..7.Y..{.X.....0.ei.)...>.?.....9m.TZ.z...]&................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\6FTOPTQV\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):5.017242318260692
                    Encrypted:false
                    SSDEEP:192:MirVKrLvQe8gS4oMJ/dfHgb3vXnGh7YieuR++W3WtgYwjjd9v+KS4:lrVKPrdoMJ/d/gzXG9YieuR++WagYwjm
                    MD5:0B7EB0D5B286E55911B4FBFA7D237651
                    SHA1:5EC0C029F58CBA9EF77DBA7049D12C50B32DA63B
                    SHA-256:11B6A130F6B2D70D49E1148AF18F905B89D50D45B3A606357F4C79794A21525D
                    SHA-512:83A88A888B24403A1E547F2995093635673BCC521044AC9A7DB9A490629805F982B2BB92036489BF80F5F47C34E6B6CD44AB1FED95336CFBF171D9FC4F107534
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........D... ...`....@.. ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H........B............... ...!..P ........................................!-'... .....H.,.|".......E.%....].....3..E...9.".(|}.Z.`JLH.z....8...=.~R.@X......}8/..#.0}B}.!tnK ....ik.6c-.j..;7...!.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\7CZXGZYM\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.555546951541871
                    Encrypted:false
                    SSDEEP:96:ulVi4+5icwM1Md8Z2NTig2vwymt46M65nd2cAKw9FhjU3o6oB9Eoow:au5icwM1Md8cd2Yye065d/A99Fy4
                    MD5:E7C70B4AB3CA755221A09C9B44417345
                    SHA1:1369A62C80A1D31D1E3B42AE68A48D97FB413DB8
                    SHA-256:0A79E06B6B3424A03A05D60FA189C818ED332BC2870D88C2E6B3CE75E79BC10A
                    SHA-512:9C32C33095AE06ACDB5FF48A6943BB85456B694756956F7FD4E5A4C19FAA11E04076B3DA8B3DF02B7014D75DF4349694B63210C447F6C254EFC4D5A29FFEDC34
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.S...........!................N0... ...@....@.. ....................................@................................../..O....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................00......H........-..(............ ......P ...........................................d..K0.Y.AQ...i......H.\r.v.V..IIt.Q......./2....u..^...J...7....v..B..H[...o...j....3%-.Y|HRb..*....l..L.lI..~)}.................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\7I4WH7GP\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.226020956483515
                    Encrypted:false
                    SSDEEP:384:ZhVzx0rJ25MR6uy68p9qZnYSMM7PWS3d/3vFvVocN2wrUBe82OpSSEJ1zDsvsFsa:ZhfCITqJB2wr//BBh8I+NjcSPBzk
                    MD5:5F992DD95AF2E0561804915C0AFC9E0F
                    SHA1:896BE7BBABF527E817EE4B2CCA03238720616159
                    SHA-256:8E3328B91345DD91C4AA9F9B839D112BCD7F3A3612887CC9E367DC50541554E7
                    SHA-512:3537AA11455D999312C6533AAE499D1A9C4BD2985C2E58817F2EB743782907CB50F93CECB317EA4617DA26FB4BE9DA0FDA7A07D7FCB4110A7677FED57868E2B8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....x... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\85KLLAB2\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):5.103342503943513
                    Encrypted:false
                    SSDEEP:384:Tz9i7MNy1RjaGKn5r5nZFvDVhHM1/Txb631fSyTo5H80IVONoVIh:Hj7VZqh
                    MD5:C5E2EA44FB158241C17C8D48C6D74AEA
                    SHA1:BA6385FF740A8BE20061C17F1FAD34FFB009F251
                    SHA-256:BB5C5DF7F17D45C129CD1CB94DFDD0103133C338E47E66A4F9511EB5BCB586CA
                    SHA-512:0A78050E56539429CCEAE5A8D33D4640F0E10F3E16A9314480F3BE25936CB01D8BD04F1EF84B7EB225D48A9B6AD315B5F487CA2A330BCB0EA5F04A9212ABA7DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....8...........V... ...`....@.. ..............................].....@..................................U..O....`............................................................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B.................U......H........S..<............ ...2..P ..........................................>\a.uM2...5l..zJ.;n.Be.4..Z.4A..OL\.....yuc.I..1L...P..%....$Z./0..q......{...}........A..)^..*.n.......o..|8.;.N.....X.2.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\8FDXG7H9\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.239172047246856
                    Encrypted:false
                    SSDEEP:384:gBhVzx0k7NL/ckvK+j7gqwXHPZmQTuVF0DKjOVRQxTsyurMwhSMblpmbo2B2s4sl:2hfntTTwQwyOIh7TDBmzD818kFH
                    MD5:4944882D76D7D57616BD3D577AD9A5CA
                    SHA1:29B6C3FB57D9EAE63BC4AF029273FC1D3B323F74
                    SHA-256:2BF5A240B2AC8AEFEA58E81FDF5184F57F8380D4BC2D5018033677EFF8A20F4C
                    SHA-512:7763778390F37118F2C8F0D2901248239B1F6D65C115032192E5779B308BA4AA15C8C63DB699213F84465E41E4891EE9A426109E17580DC33BD1F8FB702CB096
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.S...........!......... ........... ........@.. ..............................g[....@.....................................K.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\94KTCR94\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):3.9814805513129423
                    Encrypted:false
                    SSDEEP:768:IBhflkKgmG0c/Afz1szUWYeXv9lBRtZTO7Zo56i3r:IBhNkKg50sOzip/y9y3r
                    MD5:A62661DCD3F82DAE5DDE121173AFBC61
                    SHA1:463919C9EC0EA07308D4309C75EEA082E4515F72
                    SHA-256:FE96B550597DDFE851336BCE7AC8E008CD2364096CA98F4EA7F19B8CFAF307B7
                    SHA-512:045AFDD31752767C62341928B99B41B582069F4388D601FFE17158EC7BC7D118E1FB430E40413D9B4BE5D9CF68701D82B945BBC4D8BB0BC4984BFD8B0DD96016
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......^.... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text...dr... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\9NFPM341\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):4.958451760919056
                    Encrypted:false
                    SSDEEP:192:Ppx7irVKrLvih+HGV4/FeS7YNkhTKigBcOujsBP2PVQtMa7EN+26YLfvoH4:PpxmrVKPMTV4/FeS7/TKNvuSXMaS+jY8
                    MD5:8C221BF6666A918F36C68A1791DCD78E
                    SHA1:B82C1291569DCFBD65CC1B014FFD899876CF67CD
                    SHA-256:C07E0D45B8AAE19C69C73C7CB2FCEFA0156587F64ABD539C2CD53B63E3789D9D
                    SHA-512:CC87C1DE54B3E0123AECD372489867620E2C2C5E74B915BC3EB0E729DD24FC5523E397604CF1E0CB973A1476C8138D9E0B74401CE9874EEF9F71AB3E47C3BA38
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........E... ...`....@.. ..............................g.....@.................................pE..K....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......`C............... ..."..P .........................................e.~+...zA.....(.%.W.....UH.e..E..)D.r......$n..3FlZ.......Z..../......,..f.H./.|...iZ....}..W.t.A.#..u.P.C....d.i.:XIy.".............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\9QL9H6K0\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):61440
                    Entropy (8bit):6.42671500081971
                    Encrypted:false
                    SSDEEP:1536:WvUeWtIXCoH9tW2gX/xwFWhaVFUOHzDxvY1XE5Jbla:WfWtIyoHUPjhaxzyqJBa
                    MD5:5B150C3234B1EFC6A58E8FE105822E45
                    SHA1:94C74C81F44A2A8049FB5DD871209E2013F6900E
                    SHA-256:505EB6384A85F9449F224C25AFFD26F9C54E9A696A8383E51F98EAE7BA141CCF
                    SHA-512:882653DE27103E62BB39990068F83C2C04B4B3C44B225CD77D5F9EA978B764372159008543B6B907C75C6AFD4120E187A706504BF73F880975E5CFFBEDEBE7C2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ....................... ...........@.....................................K.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\A2OG2MOW\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.594025390447715
                    Encrypted:false
                    SSDEEP:96:jVia1+5Cc0MRMd4ZNrPbwrN2KSFObPe0BZ1hxvBhoU3o6oB9Eoow:pFc5Cc0MRMd4TPbGN2P8PeoVxvBx4
                    MD5:E51783F79A9345C3E716B6FCAC4DD4B8
                    SHA1:29361E3DDDB322B0D79D28DEFB438D5CCE9DB15A
                    SHA-256:7C9BCB807B452C26229AE5F955167AA4F17FDDF5C65C76B95C0218F72224A450
                    SHA-512:E8836FC9E0E0006A9351404C5B608BC2815D9B797F57C5BF510B895FE35A05ECCF4EBAF04281CF12BA9BDCA465FD82DBC8F24A911673D7AC0500784736A0C0C4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................./... ...@....@.. ....................................@.................................4/..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p/......H........-..0............ ..3...P ..........................................r?OT.$SlI.m......8.\^..8..D9..H....doi#.Q....2....d..*.Zva..N../..o.....<.n.{k...6.4.K$PC9..X;x<..f....QD@y...{ig.;5...4/..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\A4XPZTC6\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.8966622096671
                    Encrypted:false
                    SSDEEP:48:6kps/JfAs8u3ClR4Xfo5jghf8l+Yb2LcrzxHrDfgt:pOClR+SkhfdJytLr
                    MD5:EB2383F9161D3F2205FED9DC2E4B6D7A
                    SHA1:4C06BAD755889BCFAF12763187975D59FE747672
                    SHA-256:D0D1D0F488782014F57AD0DBB69303C334209461DDBBE60943123E1E0418E40D
                    SHA-512:0A3066CD9B5CBF299A8BD0561270DC87789001A36EA6B2792C69A7C122970DD42D11FC7321F544A4972045D95C0CA7CE442205C9DFAF73852D03626893E8AB4B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................N'... ...@....@.. ....................................@..................................'..K....@..@....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0'......H........"..T............ ......P ..........................................|...@..N.'K$.>...O)!...~Vp.. !..P....%?L.C..R....-...F.._*2../..'.an.PA...v......\...c.m..4A...R..atK.i........X..O7................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\AKDCDDJJ\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.092793292067392
                    Encrypted:false
                    SSDEEP:768:ghfburcvWHGR5r9JESxToICvhghzhZ+ZeLM7MT/vuF8h52:ghDuovWHGR5xJESxToICvhghzhZ+ZeLU
                    MD5:A59C03CB80503964DDEF1D983F49DD3B
                    SHA1:B6A1F635BA9C5EE63454D6084DE2D0A09F456A3E
                    SHA-256:6F95FE9E6FD736FFB3CF8DC0E44221DC695738B34B6003A6D1C4821EBB29FA99
                    SHA-512:DA55A253E2AC816DB204EEA7B1BEF2D5AA70B5F648F329923F79B01F82CD3FEF0BA801A877EAE08F6109228FA572F833446DCE635EAEDCA6DFA727957E31141B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ....................................@....................................K.................................................................................... ............... ..H............text...$w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\AOPA0BQX\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):5.0126360942079975
                    Encrypted:false
                    SSDEEP:192:dirVKrLv/qk9Ghruh2T7cn4AbWMutWX5AowNvtYJPvYT4:ArVKPCCGIh2T7gaMuUX5APhevU
                    MD5:E3A4417F313AE4CB5F78175A0CB4F2FF
                    SHA1:D9360AB6BAFB4151DC0046CA9DFA1260862F9225
                    SHA-256:E7CCFC1A1A2118E1C57200EAC401669F5D23B019E4BC02124FBEA8A6C1FFAEC9
                    SHA-512:616353AE4866C1C9C7F331BE0ECDCBB573E7FE72FBA7599768DED7AFFC164D21922571ABDD9D1836A4369D2B7CA6F6051F1C406697714B511695E24A2837A931
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........E... ...`....@.. ...............................d....@.................................lE..O....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......\C............... ..."..P ........................................K4.=...B.....9.....D/.H.....nr*.F ..\.....8..H.}.9....B~Vy....y.H.w...-......^#'P.}..!W..AX.G..wy....}..F.@...d..-^..}.>.".............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\BFUG8TWT\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.437836907060338
                    Encrypted:false
                    SSDEEP:96:QSVi1W52NcHMXMdkZoQ/U6LFDHyv0c12yZous17hhEU3o6oB9Eoow:QMN5QcHMXMdkf/UcF+0clO1FF4
                    MD5:7C03B9B361D33E4386F96B02C12EC68C
                    SHA1:9C3A947AD00F9E0989A412EB93B6B15DE274AF0F
                    SHA-256:B330550CC4455657AA957BD209DB0D2DC36EB10102068035B66CF602B0E337C3
                    SHA-512:A3BC2DE8DB10FF1D22E267BBCF69B48B3BBAFD4ACBB6982AE3D81F4D2607EE779F73EE12BF6B65057AEA7DCA61167852BB3A3A7B3B299FDFB1D92050A7D67032
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................0... ...@....@.. ....................................@................................../..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........-..(............ ......P ......................................F..F*...gG.L...A..L.Rh3.Zp..P.......NG......Dy.C.c...\..`d......a.....^...>#.7K...W.....r.8...:...5.I...G.........^.l.k..H...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\BIB90YD4\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.008359155801147
                    Encrypted:false
                    SSDEEP:48:67ojo/JfJb0AKkyWWX33ClR4XfoAofhfwl+Yb2LcrzxHrDfgt:ORLByWAnClR+shfpJytLr
                    MD5:68B43608F3E052EA2FFC5DE67C8BFAEA
                    SHA1:243AC8C233DD1256CF236E34EF5FDAB747157809
                    SHA-256:B8491F04F786FA4CF1A230A9F6CEAE2DF1C76A2F8BE720A17009113761B2CB2C
                    SHA-512:627E11E28F370FDF8F3E55B31DBDFD1965A03A100CCC0BA6D5DE13FA2FA9CEB2E1B410AC1D6A16A7649BC7C469D708F5F57F599B033034D08509D2573C819F5F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................n'... ...@....@.. ...............................]....@..................................'..O....@..@....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................P'......H........"..T............ ......P ..........................................^N.~..f..,+..'..%. !...&..F.8*`........ Se.~..)..(WX.F.j.....k...g./.$..L-M.`Y..*...z?z.M...\..I0.....x)T....}....................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\BJSMK5VR\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):5.019305996601049
                    Encrypted:false
                    SSDEEP:384:vVz9ESBmuUxcQ1y3585hJDRJzdSM1QcerAHHZocYr65TtEZMDwky/08QsYKapYzY:vBFcYAkp8nKKqtG5
                    MD5:E61980FAC1A5BB4AFDB045E0A09A5306
                    SHA1:7E04054E7BA37BA176DF8440B094BB60780E2E81
                    SHA-256:1E9CC9801555705F70D4763BECE500B57FC1C11235FB53581678459B49E18958
                    SHA-512:42110F90AFE13CD07A57C14DF00101A2BA13A460C8AFCC25ED93498E288832B982F5269371420A3CBFFDC175B694DEE3B5B2943753AAF9884C460288C2FB6AA3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....8..........nW... ...`....@.. ..............................TQ....@................................. W..K....`............................................................................... ............... ..H............text...t7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................PW......H........T..<............ ...4..P ........................................~.kr...L#-f.K6.[.h.....;..t...Sf.%.%.yY g =d.[.n"_.~.H.../c.?..8.kf.)...L..Q!'...X+...m/A..8Y<.d1..."v....n(>U.....YT.'..4.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\BMXRJQCZ\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.636825563096464
                    Encrypted:false
                    SSDEEP:96:DUViMW5UcPMieMdPZO1gcsdy0uQntomGI/Xrr5L3i8UmhngU3o6oB9Eoow:DOm5UcPMieMdPUgcMycZLYmJH4
                    MD5:16BE5561CCFE4281EB5A19386CC6FA92
                    SHA1:D27153545253F16DB284213879419DD886B2BA39
                    SHA-256:BCB106297E82A00C8CFB94F580833EAF5FB4AC0A64B6AB194BF5B1A12EF90546
                    SHA-512:ABA55ED24A0CA7668BAF6B63E939F1E9DE18B77FD337B358DB72E2937171EADF69EEE8B25E2612CEFC48F7EB36535ADEF5D7057AE94D861D4F6DB8783A53FABB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................./... ...@....@.. ..............................D.....@.................................\/..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......4-..(............ ..a...P .........................................V...2(#...U...{..l...Ei...._.:..TJ.Q.K...).,....../...L..m.Y...?.}*?..........@.Dk1.lx..~. ...(.C......2.(O].).>|.r.....d.]..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\BVLYGOZ6\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.700118321325116
                    Encrypted:false
                    SSDEEP:96:GXLVi4d5ycJMkMd9ZP3A5yCNG4SdMALIeBYRknhsU3o6oB9Eoow:GxF5ycJMkMd9tA5y6Gt8eBOkn94
                    MD5:AD5B0456105B3330102B48673338AF0D
                    SHA1:E2C7889D5CF8D8B7056BE3209414E587042E4F2A
                    SHA-256:2124BA16192A6B6C3D9039556891BC37F567DD456312021139336C9214B631B0
                    SHA-512:7AF6FAAB44F68D405CEB21786E11A2AF4B5BFAB20FE7C1AAC537ED87E541F0C9CF02EEB30287E6EE504D4FD9F5237456C596B00B42B592C7B766958F8B8435C7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................./... ...@....@.. ..............................+.....@.................................p/..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......H-..(............ ..v...P ............................................C..t..r....>.(.*..B...0.b...K..Rx$..B6..!....vS.3na.e|.W.&<.9.......R.4u.......ih.`.....f.P a.....<U.......f...O..'...:r..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\C4FDATMH\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.223379145863811
                    Encrypted:false
                    SSDEEP:48:6FDtoy/25G8snnuG4y23gbuXgX1RyhChmLvXbro1pOor19E3Yo/gd:QR+5G8WnuMb5chUU3o6oB9Eoow
                    MD5:5D649CFFED3BC545C9D6137DB143959D
                    SHA1:B60F8825E761B63A5EB93270C575BE5777C82220
                    SHA-256:8A4E9CF6A4D5157C1DAD89E383597BBB56165247AC43D5915B0E6BA70D50614C
                    SHA-512:8AC1104AD77B577A631876767E8DB162CCEDDD3A6765BFC838777C4A9A61554E19658379B39623A7F5DEB7FE07A2F13BE38EFD74EB6C21F0EBC33264F7C72477
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. ..............................K.....@..................................'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......<%..D............ ..l...P .......................................?...}5w...Q..W!.i.'....^.f....*...u.>........P.":......H...2.jHJ[......L9,.......r.9.|A1...|.a_}..u`6R...w.s..0S....k.@h..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\CD5M7MAG\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):4.923079941776571
                    Encrypted:false
                    SSDEEP:192:pAirVKrLvj2mPE3umloIgE7ReAw+knJHQp+zxFnMQbo/Jv4+4:pZrVKPn83umliE7Vw+kJHw+zxFnMQbo/
                    MD5:D36C31C50D786DCDF0C1103EB28CCC8E
                    SHA1:164E8AF841C94B6BA479D0823196FBD3CC25B607
                    SHA-256:ABDB17461EA642930A7C9AA8DC0D8164E0586087C7C33EA420325D3E03E49311
                    SHA-512:B0435C26851588B1E4351AE63C878C1B6480E968F2FBD9FE44BD1AC9277E9869A6E5DE1D601673CA16DE9F3C221524F3C45DA3D6559037B19EB9C2545076FF59
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........D... ...`....@.. ....................................@.................................\D..O....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H.......LB............... ..{!..P .........................................0..-........K....;.E.?.........M..H.d..t.......D<.s...R.....B'.=IB.-.......u...3..3L.q..'..8...=x..!.j6Z>.g+;.q9..Gv.w!.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\CRGXKBUS\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):15872
                    Entropy (8bit):5.2205237882145665
                    Encrypted:false
                    SSDEEP:384:ONz9lMaBM7MS/wgL5f5vSTgWnQqME36Rsi5UYDDXaTWJyBmPmw2lOcTO36FddM0V:0ttmPmww43EddMT01XvFro5FY7
                    MD5:6912C15FDA9102E51BFFE6BDEB299B71
                    SHA1:B34228610EB2CDAEE473F82C7158F2FF1C84BDCE
                    SHA-256:1313E8FAF03D48765C246C65ABB9A25D816C58E89B60E47C98701795CC164F0F
                    SHA-512:19637E4F3B5D2759BD5829E3D51B1BAEDC424ED84843BA28168B2717CC4D8A1DAE1A9912CC6F3B4BE1A32472A879E3C937FCF98A4B0954B2AF1C65A54D0D8E1F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....6...........U... ...`....@.. ..............................F.....@.................................XU..S....`............................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................U......H........S..<............ ..I2..P ......................................c....F..L.D.].DN...Nd.1.^W..RO..z....kOi.M4*T.o.^.a.NE....1..S..9.'..Q).....z..p...........b...G0...6.&.'.YN..2Y..._k..'>E2.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\CS7YDD0W\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.046595482771752
                    Encrypted:false
                    SSDEEP:384:RYVEe5K8d+8USnbu+ErbY0x9xtaBpd2VRchWWj+1ib9X8S0O9GX2JJAWBnxa45CN:RYbDugWb2blCFTifVCYhEkcGs7
                    MD5:4EC9CB9DCE5A102D7758100B879EED45
                    SHA1:C47B6CEF55599E0AA21F3F4E79FE52241CE2C3AC
                    SHA-256:871EBBC7D237128593FDBC82039F7E378BA56AD357C6CCE9600D445B37210398
                    SHA-512:4EDB10D764B883D67C011038146A4361582AB8B20BDAD4DCBDAA14449CCF063503064D079435F41F78B11825FB2F2FC3B6967A67DCED90B0D9E06305F6DE2C7C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... .......... ........@.. ..............................h.....@.....................................S.................................................................................... ............... ..H............text....r... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\D1NZ3K1Y\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.077888987306207
                    Encrypted:false
                    SSDEEP:384:6LPh6DFlKPCZD6ev969Bc2LiO5rhMbM7qI5G5RPrOMMpMMvAge+NH89yhU500+1o:6LPhrvs9pusDOp3O1TDPJ6nzm
                    MD5:876FC34ACE11E79D34D066E886DA168A
                    SHA1:659A7082511771D00F8E1E230A34A5D9D0FDE2A1
                    SHA-256:4D5671B2001171D929E610CD10B1DE157F0CBEEE41D13B7E2B59EB4CD8527A22
                    SHA-512:4F37E5FA6618A5F5820B9B034C48BA409087BE2E95AB10886DC4C3FDC52B0FFCDFD8DA5057D7EAAF0C5BFE38FEBC11B78A64DB8DBCECDF174F1E17B8F27009AC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ........... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\D3M4L4TP\BX2GT8YM

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):558
                    Entropy (8bit):4.56232532055836
                    Encrypted:false
                    SSDEEP:12:daENNF7aPo525eJdnflVqoFl2v1/tUj/ik5Mo4xm:oEnF7d25eb3qon2vJtQN5Mi
                    MD5:2D562F88863EDF6FF31D3D374F3A33C2
                    SHA1:6D56258F839FD4771D5330FFC3E845F066BE438B
                    SHA-256:D136877480ABB8C879FDF92FCEBE8DF623F61DD719D71FD6F0AEFC0458590B4F
                    SHA-512:0CC1DF38B39C60DF5EC84365FF9336C537C1FF3BEB34A5E85B6AA0CCD29284F855006003E9F5718637CA9BA51662C70FD572041D74F801741D3032DFA200CD31
                    Malicious:false
                    Reputation:low
                    Preview:<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Data.SqlServerCe".. publicKeyToken="89845dcd8080cc91".. culture="neutral" />.. Redirecting to version 3.5.1.0 of the assembly. -->.. <bindingRedirect oldVersion="3.5.0.0 - 3.5.1.0".. newVersion="3.5.1.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                    C:\Windows\assembly\tmp\D3M4L4TP\policy.3.5.System.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):10096
                    Entropy (8bit):6.268670907482493
                    Encrypted:false
                    SSDEEP:192:ioZlbnWj/WWAQKPnEtObMacxc8hjXHUz1TrOP6irFR:n7bWj/WtLXci2jXHUti
                    MD5:480E9959B09754B2DB7A7C64E0C76490
                    SHA1:42CDB4CA17729AAEF59CA76F7991EE286849B002
                    SHA-256:4A4E682236FBE5CD4474F56DD87E498C33DC8EBA2A3B65219A7ADE5F8F072C02
                    SHA-512:AD6EE109A66CED741E67A9FAD0C19548CD03216548E8A61FD1D1FF30A0ED54132959361E482EE6BB707E858307355797C30D56335FC59A52BB376D07028E1E69
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;tK...........!................N%... ...@....@.. ..............................C.....@..................................$..W....@..................p....`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0%......H........ ..$...................P ........................................ ...3^d..CL...f}.oD..x..._.U.t~..l.m..W...,.rz*.S}.......-.E...:.....[..:...B^...$.v...b0.b...'0/..,...r5.....+.. .ks.+.]EBSJB............v2.0.50727......l.......#~..l...$...#Strings............#US.........#GUID.......|...#Blob...............I......3....................................................%.....B....._.....x...............................<.....<.....<...!.<...).<...1.<...................

                    C:\Windows\assembly\tmp\D3M4L4TP\publisher.config (copy)

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):558
                    Entropy (8bit):4.56232532055836
                    Encrypted:false
                    SSDEEP:12:daENNF7aPo525eJdnflVqoFl2v1/tUj/ik5Mo4xm:oEnF7d25eb3qon2vJtQN5Mi
                    MD5:2D562F88863EDF6FF31D3D374F3A33C2
                    SHA1:6D56258F839FD4771D5330FFC3E845F066BE438B
                    SHA-256:D136877480ABB8C879FDF92FCEBE8DF623F61DD719D71FD6F0AEFC0458590B4F
                    SHA-512:0CC1DF38B39C60DF5EC84365FF9336C537C1FF3BEB34A5E85B6AA0CCD29284F855006003E9F5718637CA9BA51662C70FD572041D74F801741D3032DFA200CD31
                    Malicious:false
                    Reputation:low
                    Preview:<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Data.SqlServerCe".. publicKeyToken="89845dcd8080cc91".. culture="neutral" />.. Redirecting to version 3.5.1.0 of the assembly. -->.. <bindingRedirect oldVersion="3.5.0.0 - 3.5.1.0".. newVersion="3.5.1.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                    C:\Windows\assembly\tmp\DDU0R7DQ\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.117075270040799
                    Encrypted:false
                    SSDEEP:1536:cvUDv78xUErlH8tlpq/cphYIPmybpepGBqzO5JqHl:cyv78KErlH8tO/TIkG7Jql
                    MD5:154BA6E70317FC86F0C735A5CC78B2CD
                    SHA1:B7C0B4CCDBBCAD7B594272888B31CCC6C70A7299
                    SHA-256:7DC2EA63A0A0A239096E87F43C3C47ED70143992CA6D35AB97B26E54EE4C1FC7
                    SHA-512:A0DEEF1FBEAE0AE554C5E323DD7EBFCF8668BB2780DA917BB9470E2E6E2DDEC2E6534E9D437959DD928D3E8422F9E334E523202F689B4C403B0269E6D4EB3983
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@......\.....@.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\DSI3AZ9E\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.453857733443119
                    Encrypted:false
                    SSDEEP:768:EYrIHhUv2vlL1Smf7wrdMi5qicuGwcs7:EYUHhUv2NL1zf7wrdMiw0GJs7
                    MD5:10B6A8ADE91544A71E10B22A9D86C89D
                    SHA1:0EC3D9524419F3D9BA34F5098CAD54C0151AAB25
                    SHA-256:7E5822E8698E70FCA5B1AE394C1765AD18AAD4EC1BFE39A4B2DBA739745486C1
                    SHA-512:FA21104D046942C6067143FE1458158AC8B3FEE15959792D7ED134EF8C7D4CD1FC705DD2F77A37C7D145AAD24D1024F0DFAF19659E479738E421380409ABDCCF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ......~.... ........@.. ...................................@.................................0...K.................................................................................... ............... ..H............text....l... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\DX882I59\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.873884959213548
                    Encrypted:false
                    SSDEEP:48:6/Z9cvJf8L3ClR4XfoEg53AhfYl+Yb2LcrzxHrDfgt:iClR+JHhfhJytLr
                    MD5:5294DA1878AF49E0957DD8DF1AFB4A35
                    SHA1:0A373213B10AAFCBA05DE1E4479870F01324E342
                    SHA-256:CE46A81426D5D137D21D1D2BA8E75927B542E95031F2C970E70B097B56151E59
                    SHA-512:0446D3615381C85CC6B24FD55136B37C272E53F4FA985235668902B5ABD92314E6E5567DD89F908A1A883D6A5361815A6F587F66511067ED64710FF335BBD7A6
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................N'... ...@....@.. ...................................@..................................&..W....@..@....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0'......H........"..T............ ......P .......................................d.U.1.J..k$..8./.....Zg^".Y.F......Z.!\....J.g)/.&.:..g.]/U...3...FX.p......Z.iH:AQ.f.........i?...8..UC.o...)X(v.....<...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\E4QRLP5W\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.168830066196308
                    Encrypted:false
                    SSDEEP:768:cLPhuJND0vrRf0F9uUK9zQEp0AU+b2OG8aVwcX/6c7:c7huDD0tf0F9uUKsG9G8aVwcX/6c7
                    MD5:25A5168A5C9F934FA1B3DC618E2B9A07
                    SHA1:3A895612E61C0B963420A227506B53492B60CBF1
                    SHA-256:A468B69828E2FC490ADD320CF8B9B33727927C525B9007D49545336C0036EC15
                    SHA-512:A79B7CF20D190BBA1008C330185D8A558F8B39CA7B688705AD7A16D544E784B61B33CBE6796EA1906819D3B5C0D8BA69C866319678C49F51685A4D2041C1BD96
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ......n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...tn... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\EMB0YI5C\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.057972928096337
                    Encrypted:false
                    SSDEEP:768:OYowYA6gRCkYgIbdYy5a8FKDqjA8Xw5wbC+M+n2s7:OYowYA6ECkYgIbdYRt6nJn2s7
                    MD5:5D8EC92FC13B983A7CB31E739AA497E9
                    SHA1:5E0140B52DB2B716731E7238898C38C5802BE845
                    SHA-256:986E86542E93DAB4E8BB71CAA4C7497017D705553B4921F444842EBB29A7C318
                    SHA-512:834A1021AC3440661B1669743638105BC6C674D51D192691B2D93872249FE2004F9FA3ECD0E475973D1DCC8E55BE80F52E8EA8DB2469606D38C867A3A7CF9DC4
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....s... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\FGX1QJPW\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.244791212305518
                    Encrypted:false
                    SSDEEP:1536:vvUigNp+rndwitC+Fkqj14mBtI9tedmBT7qpjA6K5J4Nr:vvgnydwmC+Fkqj14mBKeYN7qpSJUr
                    MD5:DC89F20E89262A8D02FBC729F64B55E3
                    SHA1:AC36E68B1C91FEEF8D0BF57680DFAB579458D64F
                    SHA-256:C9133F5ADE7D5C88F25B15A6CF01289E67AD6D756EA00B678EC68330F87E63FA
                    SHA-512:B146CD7C34D0E67D7EB570F4009DA59B99505802AE19F96C3EB16E72C3B92EDD0D5C2CC81EA24242507325195A47417E924C166FBEB1BE30A5B1267D32E2B79F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@......L.....@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\FLIPZ2F3\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11264
                    Entropy (8bit):5.32674924574263
                    Encrypted:false
                    SSDEEP:192:qfxbirVKrLv/6sokuf3sw66MxG5fdNYcbwQWYc1deFQKF4:qfgrVKPynkw3s369fd6c0Q81dIQc
                    MD5:114A75776DB16032C60A0D6FB8912FF0
                    SHA1:9F446879F35A9A6C736843057889996B68E47556
                    SHA-256:BDADEB3D1C4F3C8450A295E4E09F1A67F4F42DA60527E6A94B9812E47E17C7AD
                    SHA-512:7CFF9EE4E6CEF374FAA948741FDF68DE592A547E00BF64D7A6D87D501D0EBBCBE6E0EA920763C173699B673980848C333CF36086CA5BF619A1D4EFF26C90EEC7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.S...........!.....$..........NC... ...`....@.. ..............................W.....@..................................B..O....`............................................................................... ............... ..H............text...T#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B................0C......H........@............... ... ..P .......................................WE.v:7.F.o...0*8.zVM.(1.....[.$..c..$....U..;..c6h....'._7.=.}.,..k....s..i....Ui...B;f.$.L]3.v..a.7S......$.,[.......9. .............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\FP6BNFUH\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.53023752185148
                    Encrypted:false
                    SSDEEP:96:4VhU5O2nKmoKTnE/gCcEVN2BImk/VCpayLTbLARkhiU3o6oB9Eoow:8iKmoKzpCcEVNozk/aLHLAaH4
                    MD5:4FBBC411FAFB3F1115AC01D9E7DC9390
                    SHA1:4B3D8D5557FE8417F73ADFFC9678F10612FCECDE
                    SHA-256:4AA21290CC40209144046589A219AFCEE1386CF4D469152378D5B6CF50266276
                    SHA-512:EBA7FD71A84D50E62B3AFE8E58E13542465A6C93CE11BC1B108B97A00523C55153A31719487A5CD5E03523F8804D71829BE3D51F33C8506CEB3BFF183B9A0089
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................-... ...@....@.. ....................................@.................................x-..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......4+..D............ ..a...P ........................................{)...w.....Z...oNt.t.....b..2..d.T..0.v...qaJ......E.8.....g...N.s..eNAy?....,#.u....+......sj......m.D.F...r...hC....#]..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\FWSCSB2G\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.4889674619469275
                    Encrypted:false
                    SSDEEP:96:JZSlUCnzmSC7/PCcCkDuu7omKGF7/RitdoLAJ7hGU3o6oB9Eoow:JZ0zmSICcC0fFVQdoLABT4
                    MD5:56E6F75B7BF49B1133DE6408FC039485
                    SHA1:E4554ED60A9BE30E2F73A47AFF4980C81C411469
                    SHA-256:B2014C96A5D254C36CE9C6191089E8DC4CB8519D6F4390DEF0EFCFC76D4477FF
                    SHA-512:DBD74D14CD802CE2CF15F5FD1A6DB64CF079A706C047D7E88F597E1E98C388F51B2442A64544DCED3E7BE5CA1A9A746D1ECB0808C65D2E19C2D305BAB22E4506
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................-... ...@....@.. ...............................K....@.................................t-..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......0+..D............ ..`...P ......................................n@2.G.|....l......G...MRW*!Q<..j..i.'.M.K.oO....\C~.Z......w..C.T..f..Hx`>h.D..=..B!.K.|..}..XR...V.G....W...G.P..$.\..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\GAOBZLEX\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.252581602057855
                    Encrypted:false
                    SSDEEP:96:gEfb5nn/nf5pPREw4fHghEU3o6oB9Eoow:gYb5nn/f5pPREw4fHgF4
                    MD5:32A9B269303B3222F77F0FC25BBA779F
                    SHA1:3CC5408993967380D27138CC7A0E44F5377F6F8B
                    SHA-256:5F48A9FCE89C509A6EC35858C739ED5B9AF611F2CDE029BEE6166A6BAC4F7E6A
                    SHA-512:13DA94923D14337B1C74C3AEC37CF8B26F422B0394CA25A6A96FEB5A475BA37E5980C361D1DE5CD90FE4258A073DE6B5B7B9B8F73B2778BA09179FFD9AFD5839
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. .............................._.....@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H........%..D............ ..;...P .......................................(..-..1.-..hH[#k..)cn..Q.e.r...Z..#,.cq...W.!a@..!];.~.E...&.W.2.];..S.f.1.4..].......<.#....v...l..........?......[....%...7..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\GEP0GRHP\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):57344
                    Entropy (8bit):4.337291752137618
                    Encrypted:false
                    SSDEEP:768:fhf64XFfpzFL5hBbh7K2NQ7sLz6zi4fCglK/C/hhs5AcbycRqIcgFUphyrFlhhvJ:fhi4XFfpzx/BV0ujk7exCUqk
                    MD5:1D61F25258231C226C26C39C252C8FCF
                    SHA1:0E5313ED94E15F1328BD6F63C04F4B5A6DDB086C
                    SHA-256:0ABA7EB365BC0D2560610E52CE7B6D6DD4F72F2C07E05D0A6C42365035DD8CB0
                    SHA-512:ECA3C72EBB4365E620C957EB1DFB63A982427D9180BBFAABA751E5FD1FC064428692EDECDF8652EA7B1AEDC53E066754B7A8959255AB188C709421C051D04B38
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......N.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\GZUMVK9D\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):3.414022290790832
                    Encrypted:false
                    SSDEEP:384:Mz9wO/+WPI1SkYK5653PauiwnFMQIKU/XpUznTT4jZ5i2pStL5U4obT7JYN:+B2pQUxH7ON
                    MD5:FCBC5AA820402FCF52B968F97284F8D3
                    SHA1:53D8FD52A2EA79B7953D58E82B202250BACC9A3F
                    SHA-256:82D9D100C7E5B8FD1687551810EE83901D429EB25DD4718526001F51E50A005F
                    SHA-512:2F852165D226756236C089916F7CC1BCBFDBDA8CCD9EE76FD5374423844609646AD06CD35ECB9FB071B44DE9CB9386B31D216411F1A5CBD66FBC03084A6CAD67
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....@... .......X... ...`....@.. ..............................?<....@..................................W..W....`............................................................................... ............... ..H............text...$8... ...@.................. ..`.rsrc........`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\HLLC4DDD\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.517555832276306
                    Encrypted:false
                    SSDEEP:96:qZlzBYf7nymOTAl/HqWCcxxa540NRUl4fbLAHZ7hyU3o6oB9Eoow:czKymOQCcxc540NRUl4fbLAHx34
                    MD5:AEAFF4D6693DE9C97F660BE7ADF832EF
                    SHA1:AC8908398F7DF70BA48A18BC89E6194F43F84D6A
                    SHA-256:4224BADAF93C2C51DCD709369DAB84A04D43B668E341661DB40907CC76C81834
                    SHA-512:EA7364F6C10231376D60E24AE6547F2D62894D3D8E00E0F3A017D7B701A6BC902A79B5143F621E38FA128367EB11287EEA6A2BBA046B4372AB947ABA0D6063D8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................^-... ...@....@.. ....................................@..................................-..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@-......H........*..D............ ......P ......................................-..a.K...x....G.>.SA..%. ....}>fk#.g..Z1...j....l.D...>...<8Omu..E.....<.1....EE'.......X..&.5..6.Q...Tl..RS3....v.)....>."...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\HW8U3FG6\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):15872
                    Entropy (8bit):4.966702222402057
                    Encrypted:false
                    SSDEEP:384:foz9zR0FUaht6ujg5w5oLcBWIX/Mq/l85K8wQC+9zZtTHDIi30R/mbUkMhqc4E4N:6OAN0RObUB34ISr/
                    MD5:08AC208032A357A6D82F98C2FEBD137C
                    SHA1:5DD046FB9C24437559B38C0F1DC2EDEF852B731B
                    SHA-256:550FA61C70EADDE2497916C7679ED3A46BFA8B0C50ED4DAF4C68F489E514E6D1
                    SHA-512:6B3DAD6350974DBCE4B81B2EDEC943EDB6465D521D54EA6345D64E2074B3E0214A363207BB1609D6652DA33C2E0592D84552395042A647C37B60A1D8477E4BA2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....6...........T... ...`....@.. ..............................lW....@..................................S..W....`............................................................................... ............... ..H............text...44... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H........Q..D............ ...0..P .......................................b?I."P...2.C..*-u..+...vb.qXP.mM....|R;.6.c{.n.oK.\...Evr..........r..}....E.4...........K`....y..J.C}...<.x..e....@ .(tL.0.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\HZ7D1KIO\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.138089161692617
                    Encrypted:false
                    SSDEEP:48:6gTe1pO25MIswAn+hnLGLBiUSiKbmZTnKS67khihmLvXbro1pOor19E3Yo/gd:kz5MIEn+ULcVo64h0U3o6oB9Eoow
                    MD5:80BDE30D5F2BE5396D84202F4D60890F
                    SHA1:30103C4B037E8FCB0CB02B6779BB231A870C73E4
                    SHA-256:8FDF150B307890F5A11671E023C301A6EF304822F904DBA2A381BD7F832D8E9E
                    SHA-512:757BA22254384D1EC2AA6FAB3EBAFC4600B23899AFDD0627BC41858B6F3B85E5033635B198BDA9F852A5E63396B8930C8B76D09CFAE88FAA8C06A1D0C29DBF9E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................n'... ...@....@.. ..............................X.....@................................. '..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P'......H........$..H............ ......P ......................................gr.....n..'....j.{.N.........M.2.K..?......#....d.6..\M.G...jz.... .d.H...U....I.4I...`...lX"emu....#\d..T.}[...*o....................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\I1TPN99T\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5120
                    Entropy (8bit):4.2593494558915035
                    Encrypted:false
                    SSDEEP:96:Gt5u2ynvBZyrJrrErQFKZ2pWkq6hpU3o6oB9Eoow:05u2yvzyrJrrErQFKZ2pWkq6E4
                    MD5:6D4ABB09650BE7BB6A458168F9822569
                    SHA1:6565C681DF26A5035E393935ED5B25EF219C6464
                    SHA-256:B25EB8D1635417FCF697601D845262AA5E2F06FE1649EECD2280EFACBF98C9BC
                    SHA-512:D9518655E713A26D06F2551EC371896D7E274E2CD690F629D1BD48417EB7F96B7291DAE66052F2745FF730872895FE2182751F465DC9F3C75D2F8448C6D97608
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................*... ...@....@.. ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........'..D............ ......P .........................................@!P.L .....=.J.V..:.....0...2L .6.. Z.8.....x*a..8.G..Okp..6E.s.='.3.@.7m0.*../.S.!fU..39.%...]...aN.K....*...R.m..._F&..................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\I4QW3CEV\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.032611059642933
                    Encrypted:false
                    SSDEEP:384:wLPh62cNhwTdil+Y9I9u87IC25nTMCM4qZ35O5ztUPMMNMMH/ucM4nDW7AtBwQnt:wLPhMKd/uV2zdFq2mlby
                    MD5:2FB6A21069AD3A817B6D816389BF3C7C
                    SHA1:A729F7AAA999277AC88AEBF884DC4A808EF1656A
                    SHA-256:3D872C357D0DEFDDE47B42E4A7EF1D698894011BD71FB159D34FDB26AFAFB65B
                    SHA-512:D98ACB3C933143F34F192D9CA651BD80483EA881ED30B5E6EFC3E9939D1419B383A4E4B1C58BCC855B3196E6270BD1AC8AE5686890224002F54E9F62AF65D555
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ......>.... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...Dl... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\IGZ9USZI\Microsoft.Synchronization.Data.SqlServerCe.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):92016
                    Entropy (8bit):5.298427268425719
                    Encrypted:false
                    SSDEEP:1536:MQFhnnyxmTD/cy6EowJk/JtMNxLq2nGafMP3aQmJS9zq2igAMXsJZYDrAUc/OnJa:MQVD/cy6Eow2/JMlnGaUPqQmJSJq2inx
                    MD5:8004FB800AC43E123710860939C02912
                    SHA1:03C9B998F4ADDAF4E4F08D6BF2393593D98B0840
                    SHA-256:B2BF18F9A9F19C0871836D3B8A8896C3F41AFA48944ACC117DBE0301BE0D2203
                    SHA-512:F7888C1D9539B6E3B9F22CF97CE3AB48E14648F69FEA97A4F877C90C02AF07032634BFAB35312C90E5F27E0B45889D2F2EE5D0E7E6FB67EF32680220D38BDCB0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8tK...........!..... ... .......9... ...@.... }. ...............................O....@..................................9..S....@...............P..p....`.......9............................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\IIGQ9HG8\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.181276917728655
                    Encrypted:false
                    SSDEEP:384:aKLPh60M7yIey61Tn9N9581Orq58ZMdMW3F75J5RiIfMMjMMGyZIr2/U/NNJ2tls:fLPh2hR7y/6UX+FzTkGp/jnZa
                    MD5:5F79C99A0E7F3664EC28124379561917
                    SHA1:E1B8D9FF24231B37497ED46436A5433CF8E1A811
                    SHA-256:406BFA7EB2ED8145A52BCF733020713A2AAD53AF402CB32DEA83178A21EA590E
                    SHA-512:7DBBFAC2FBC4D1995BC1AB45681841B338A579CD9A10E6BA249A657C5735890C5722ADFA5D5C43B9765FC4DE6EC46406A8AAA486D79168A1B21DDE1442EA7E8F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.S...........!.....p... ......n.... ........@.. ...............................&....@.....................................S.................................................................................... ............... ..H............text...tg... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\IZ8SNHVW\Microsoft.Synchronization.Data.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):115744
                    Entropy (8bit):5.596891250705777
                    Encrypted:false
                    SSDEEP:1536:UJeV8Td6HjYZDzyaqPuQr2cQHZcYHwwpAfqfJsssh8Cu1:UQV8TtDzbqPuRSrssh8Cu1
                    MD5:01B68622F7B4A699D52F9A0B5EA5E4EC
                    SHA1:E3656EA1D320F475F2484EB3DBA8FD3050487327
                    SHA-256:FCBB269DB40C672FFCFB0B9D82E7958F2C746E7476671FA704DD4FB025527048
                    SHA-512:66DF55A5D40A20824A92A4918B31D51ADAF6773E32B6E889C7F8DEFEA9F7CE515F635164DAC6EB4E7DCD8A71DF297D199F138945B78F868FDF4BCBE2547D9D17
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.+H...........!.....p... ........... ........@.. ......................................................................`...K....................... $........................................................... ............... ..H............text....k... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\J8QK6M3P\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.029039213533347
                    Encrypted:false
                    SSDEEP:48:67n+425Rsesvnuo1dY69sjbVQGyHtvXgX1/j0hthmLvXbro1pOor19E3Yo/gd:t35RseOnukUyyL0hfU3o6oB9Eoow
                    MD5:B3EF7AB652D30AD8A967E59761CB8832
                    SHA1:F87155DCFC1735D32C11D79CA09996964C91871A
                    SHA-256:92C6F13D9F3B08F8AB49B6AA3F6AB57B4EEB25900CB0A6DAA698FA42D95AF3B1
                    SHA-512:B5CA5A861039B40590B716FB0C03F70CED5CF6D0BBC73D5A9999DBE30E992753634E6A5766CFD65C5CF4A723E0C8B4D783F9B82F389BFC5FA7EB1E410BF2FBA8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................>(... ...@....@.. ..............................3.....@..................................'..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ (......H........%..D............ ......P ......................................{V/.Q..?.=0...D.['....m....[.z.6......^D..`;.{.,..eW.V..;~...4.+.C.1A"4._.R.....E..N..q....j+\G.8.Ek.J7i.W.+..d..]e.Z...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\JXBYBJ65\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.284256120324463
                    Encrypted:false
                    SSDEEP:1536:8vU/oZCQTquSbvwkVUujERYVbS6+lAOkjqSZoY5JILkS:82oZCoq3bYkVjga1ncBGJIgS
                    MD5:57947B5A87EBA34FB54A50BC307293B2
                    SHA1:8A955126B80278C34251DC6A8812CFDD215EF889
                    SHA-256:3A89EA7567197799F00E273D3115C855B26F0AD965F4B703F492B009B87BDBA0
                    SHA-512:2851B573EBF5596869D041CD214909DEC922838DE85CEFBD548B3ED7680B3B07B02547053088795973D880B24FB32E1AB4E9C77B538AA93337E14DF22E35E74A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@............@.................................4...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\K94G2QYW\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.549431167481169
                    Encrypted:false
                    SSDEEP:96:SIBtTtqWtnqmYpao/dCcbP8Svzy1Yy+4LATh3U3o6oB9Eoow:NDtqmYpfCcbPrz30LATm4
                    MD5:F6D02DF34ED6A36127FBFDF2812B8A4D
                    SHA1:1010383C744E34C0C54D19DA11B3B6715FA61101
                    SHA-256:DD33F972AEBD24CCD3381A34BDE739E0CC4A6FE7C53C64D8C9C3F1F4FB41DF46
                    SHA-512:D2D0336ECA68F53A36F102845A376D66E2B9E7C66FBCCD7E8DD1AAB2651B376C2964AA9F3A02FFA42EE6AE68A4638C5084F39B4DD9CEAF5F1A17C2F316603F29
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.S...........!................~,... ...@....@.. ..............................'H....@.................................,,..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`,......H........)..L............ ......P .......................................N.j;}.z.....[(.d...P..X%...,3..?i{..,.U...H..;..Xyr...xs&').w..'......'G..........=..VC.%.5....E.U......?.....F.l..\...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\L8P4QM9N\CrystalDecisions.Data.AdoDotNetInterop.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):3.959367821701715
                    Encrypted:false
                    SSDEEP:384:0ksXGTnZE0ktFMmbL/fvXIy1twoCm8Z40Mlff/4Ifr1iAO8hq3D+97LtMRjrn5l+:01GLZE0wSqL91twoH8aBMJrPV9C
                    MD5:7EDABF7BA0B7231D586C7D89F3D09212
                    SHA1:9B5291EF2D4DEEF02189B02E5BFFC6D8AC22DB33
                    SHA-256:B8A592FBC2DAAC52C5837F8723E497A6430FBBC16D5904FFA09BC7CD9907C7A6
                    SHA-512:7B73F77FC4A60B27157C81B78A6A3825A02081E508F5E44DEB33281D5430D0C24903864639C0C8E55A4EC763E9DED3A4E793B78D204807EC73B6CD63449DB4B5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.S...........!.....P... .......g... ........... ..............................Ix....@..................................f..K.................................................................................... ............... ..H............text....G... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\LD3T68X8\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):15872
                    Entropy (8bit):5.010429307115005
                    Encrypted:false
                    SSDEEP:384:9Tz9s9mzvx3HFCXzLL5k5gSGaDfhoMEad4ENUB7aoBT5JnuG6DMzNatL8+Rn++E:FbG6DRlzdE
                    MD5:4BD1105F346545A364545433163692B2
                    SHA1:92BACE788A8460E99D727C29F233B3214B846001
                    SHA-256:D040A5117EA5CC5447D3BF151290BF0351D8A4AD394B4DD92ABC9BDAF5F9E692
                    SHA-512:F347EE64669DA3B06B001DFCD4F2C2358EB04A554FEE409F2D584056762458D1C372659F6625BD3ACF7CFC8869E7F05FB8C04295F3450D8565D3DD9E5B0ABAE1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....6...........T... ...`....@.. ..............................._....@.................................TT..W....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H........R..<............ ..G1..P .......................................X........L.k......Ew.'M.a._..?.:F!..W..[..@....'....CM.].=J....i,.M...].y...X.0.... .\H.....E..!........<..:6..|....R....C1.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\MAU4NKYB\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.19080101209524
                    Encrypted:false
                    SSDEEP:384:JhVzx0oEM7eO7itzrctybBHIyXevvCZcRcVJwAdbKRfXINi2NjjlFnDsTsFsns0D:Jhflftwdbfjnh4josvDMX3qVSvnc
                    MD5:2D6EDB1956F0CF5BF83DC6063CC548F8
                    SHA1:E71B938249A75261FA7FFA1FE7AE76AC2F23378F
                    SHA-256:B4524BDE43B3A48DECB1EFC06616F628E38176C72188A462634DAA969D7EF989
                    SHA-512:C359707FE8BCEF4A9909D27A8CE35A96CADB6990FD55ACDAC7650600876181B143731795844B732AFFA4B36D87D0CC6DF6388B2E069779B011093AB3D18B5A29
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... .......... ........@.. ...............................!....@.....................................K.................................................................................... ............... ..H............text....x... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\MKFH1E91\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.798086217805784
                    Encrypted:false
                    SSDEEP:96:tMjRVilm5OcFMQMdMZKF0LurgPqjSCGxJyptLmijdfiWzhFU3o6oB9Eoow:tMLx5OcFMQMdM00LQgyjVGxJ4lmZew4
                    MD5:7E65B517F047F3E3F1154FE4B7851D52
                    SHA1:A2821230980916C2604A35D211213FB90AC5097B
                    SHA-256:4DFF4F5D55D782A5524C3CE72A4067A43901A3008148C0F3804FCE416175CCDD
                    SHA-512:6FB70068FAACE5D034E2BC413656E0C6E9E30FF52A67A12D6A106DD95B6DFE151F606969F10165C548E995F05A8BAF8149E6A75E793BA316BF4D4A25E6DB8226
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.S...........!................./... ...@....@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........,..0............ ......P ......................................j.`...R}\.......U,r...L..~...i..zv&B.~.Yq..:.(....8.|;.M)......}7o......%....a./...f.~#..]..a.mdI.!.7.....&6.....A......M4...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\NDI8N8ZE\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.548774213065731
                    Encrypted:false
                    SSDEEP:96:Mq5whU0O2nHmiBc/pCcDJUSbJdiRNWLAXhaU3o6oB9Eoow:N5CHmi+CcDJF1LAXP4
                    MD5:B5084491E44D6B3E0F36F5BCA7554823
                    SHA1:E2A28D904EEB80C177FF09A0C4979839135F155E
                    SHA-256:7A08A11AEF22CFAFF48EA1D1EBEEF3F56E0E75FD3D21960A7F27FAA45272F04D
                    SHA-512:B8A82CEB24E48646A00D2795BB676A02DDFD113EA5FE47A682B646829EC2D321A4243A296E679E9FA88D38FB8E7FAA55D38AA0F2B1D4B2EBB4FAEB98EB8C4200
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................-... ...@....@.. ....................................@.................................@-..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p-......H........*..D............ ..*...P .......................................!(3.^K..Rz....(.8.ZI.,.b..J1Y.K..Eu<...E.8.=.5]......|..g.uX7...A6..v].AV.L..?..09~L%1;;.z...lN>.^...v...=3l.q?..^Z..n..e..O..&..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\PGVPZCZG\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.681385150585212
                    Encrypted:false
                    SSDEEP:96:ASTrvggn8mN5M/oCcOPedbsXCm5IJylLASRhxU3o6oB9Eoow:Awj8mNXCcOGZw/5EylLAq04
                    MD5:DD30981A94157BDF6216BEB993E478DE
                    SHA1:5EF3EC10A15C7AB2572DDDA98A69BCB807E193DE
                    SHA-256:8E0852F53BCABDC089B08A8967C1ED48C9037A0AADEFA3575B4A8E0332D1AAC9
                    SHA-512:CB83B9969C29A1CEBA19350B88195E8C2F7D0D093B3C5EDB42A658D3B1E3BDAF8CDA3FB326EB5909C09E112597CF4A5A64DF28EFD5735415849F6DE8AED8E18C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!..................... ...@....@.. ....................................@.................................D...W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........,..D............ ......P ......................................+.V4-&.LE.....j.2..?...#.X.......D....').5.."...k#.h .X......NF!\.p....5D.d..vU3..ms....'...U0_.;.....jX.?.F2.R.K..7....*..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\PUU3CUJD\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):3.8627900094937417
                    Encrypted:false
                    SSDEEP:384:qIz9JhRCdnHGZd5eD5P53rytneHPMVVrfBbkKIhipT3CDvDtpbIGFvsQ:qSJcdTJsQ
                    MD5:6498FBD829FF5F07B11286E608A6E852
                    SHA1:BFA9385B58B78045DD2FCB454EEC2CBF58307032
                    SHA-256:C70B37C8DC182E09EFEC3375E2AB205E8D26DBD48D88BED0B4B4FBF7E16673EE
                    SHA-512:7D867BD20356E78E6BE597B1B76F654115EB16D97264BE32890825BE0FC92819F73A9A56F095469CC6755AFF897FFE2A2621A1C2264028EF0C52F6FEA2E7220C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....@... .......\... ...`....@.. ..............................+#....@.................................h\..S....`............................................................................... ............... ..H............text....<... ...@.................. ..`.rsrc........`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\QMBNXHI2\CrystalDecisions.Windows.Forms.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.057593169614854
                    Encrypted:false
                    SSDEEP:768:0hfFBOz+qkSEhXQoIMy525a8FKDqjPG8Xw5wbC+M+26ql:0htBOz+jSiQoIMy52Gt6nJ26ql
                    MD5:DBE376BDFCD04F2077EAEC5CD2C3B054
                    SHA1:5E351D28440804E7D89F3CFD36F2A37DCA14E694
                    SHA-256:87C0C63218FBFCD57793E3034341574846F041F6E2098554126C849467F0E0DF
                    SHA-512:5B0F81DADCF53266F795884C4A564FC2D5D18E4EC89F764160920F30F5AB69BD64345F0119C4D2A3D1559E006EA65E440E25517D851619A89511C0A74CE7A618
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......N.... ........@.. ...............................V....@.....................................W.................................................................................... ............... ..H............text...Tt... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\QT2RWY2D\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):4.23605324344275
                    Encrypted:false
                    SSDEEP:768:ALPhUOqcWaPL8H4HQY3h9vG0Tj5fHNH8Z:A7hU3cWaPgYPRg+n8Z
                    MD5:7DCD84A173F5EA69ED0E09EED8F6381A
                    SHA1:190FAA00EFFA537BDE43A4D85B207F909F2F0FD2
                    SHA-256:09685C16A429C9B6E313C952A93AA8803146676CAF15B59E318D034969863B2C
                    SHA-512:965E25D2F805316E7B8541AC55CC16E151BF14504BFCD8AF05ABBBBA146D86E4255049A529B1E13E2DEAEC2985FB183EF9EBF0980224409C010BE5D05CA385D2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... .......... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\RG4F0JCM\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.442308022102743
                    Encrypted:false
                    SSDEEP:96:hL9cGknOm4rAo/YCcPWnZH3COH/JNdVu8eo8LAfheU3o6oB9Eoow:hUOm4QCcunZXCChNfu878LAfb4
                    MD5:F8DD5C3905007C20BB31B47D14750AE7
                    SHA1:107FF0238A3090BD491ED588EC39E2AC154333C1
                    SHA-256:832A5788EBE97BE4023380639BABCE232172EDEED54D4FB61B2161975DFBEC32
                    SHA-512:16B548960B79CF0BB13E4C8D242049FAD646C107774A22EA503F7774D30F5E8784C6B33364004C4C42A6E58615BB618486780FA8E4D79AE5A390EC427D5BDB2A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................N-... ...@....@.. ....................................@..................................,..O....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0-......H........*..D............ ......P ......................................8..ps..U ^".U..z.............pC....<..I....;...*=.21GT.I*..gk.....e.0.)..'9v}.....H......vr.,B.=km..O..C..(".3....T.5M................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\ROD5FRDX\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.365319869448245
                    Encrypted:false
                    SSDEEP:384:uLPh6nmHdsJ6/L+Z79q9rwV2JTH/5WjMRMjpmL5U5zD6qMMCMMaB/dxbF8y7tQeY:uLPhLf1RQNgR6KQOGQ
                    MD5:46AAE34B4B5E0D4DD70637C2D1A8A87A
                    SHA1:F97C6AEA0B16A2FFA112112204077D9CCD82A8CE
                    SHA-256:7D4DF3D34540B0B6EE166830E50D532B21D85A0257B106BFA5031954F2D66AF3
                    SHA-512:DC7EB205648ECC94C6AB2755AFC03A2C161BA1424C800D57348993A6781B91442ED09B8B3913CA315B7AD4F32896E7E050EF8C3D041C40B7904B006DDF8FFC3F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ...............................Z....@.................................<...O.................................................................................... ............... ..H............text....y... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\S4690VQP\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.089964976526149
                    Encrypted:false
                    SSDEEP:768:GYczBuwm/o2AD+T8xtX/E6POSqt9BXs7:GYczBuwm/o2Q+TubWSeBXs7
                    MD5:07FD6CCB00BAB33A84E9E618C74BBF94
                    SHA1:3F6F3F9BD770359854CCFDFCF41A5145655B571C
                    SHA-256:8D71D2ECFAF16F43D0A579B835C649FC00B58AED738E4D697C75CBEBE2B90F41
                    SHA-512:1350D319ABF22855520A4CB6B9F9A32E57DD4CA1BEEDC107B96FD64F2EB7DFDD311DFA6A758550A2291D340EF7DF86CAF4F11D36F888B7F4041D93C49624C76D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... .......... ........@.. ...................................@.....................................O.................................................................................... ............... ..H............text....u... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\SPSEFXL9\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.165721918828699
                    Encrypted:false
                    SSDEEP:48:63DpZj25BsPsZnbhqpsXgX1RkhehmLvXbro1pOor19E3Yo/gd:MS5qPcnbhaDuhAU3o6oB9Eoow
                    MD5:7D0E9775642622B877307891BEEB5D14
                    SHA1:E6294356D2D31D29A47CFD44802BFF5A5BEED784
                    SHA-256:556A2A590F4601064F8600F2EAA7558AC07058C57967E75DC9E92E52BE35CBB3
                    SHA-512:A4D418EF010802B0762B9E9AC64F46B69314A49A3CF0CE2636E9F4E232F8CF18DD9662B17ABA59469DBB822050A9C0BE00A49F7AB161CD8528C3F0115BAF04E7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. ...............................k....@.................................4'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H........$..D............ ......P ........................................c{...j.w}..iT/....s#.....8.*.X>?.+..[y....f..h{.V.X>.. .do.......#.,..o.f.....:...7.mnPY.u...c..:.F..L9..&N .{..q.<.W.3...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\SWAQSL4E\CrystalDecisions.CrystalReports.Engine.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):14848
                    Entropy (8bit):5.5940194062462245
                    Encrypted:false
                    SSDEEP:384:sz9RsuKX1flU5xTq5k5CNz54fcvMbAewS87cz1E3ITPve/xevqiIerEd:ebP0g7Ed
                    MD5:D9FDD00F4E8C5FC4FC2234AB0C76FDCF
                    SHA1:E3EC13AE66FFECEFDB92D64F319F90AD01E823C3
                    SHA-256:9C1D1062F2A577FF64461DA798AD603E716F9DBC8C309DBC5F8BB5AAC4B339F6
                    SHA-512:B81794A9F7D254D2BFD02A3450144F147F7B09489DADD40CEE8E63487712389F09316B9785C66BADDD6A1B8557A5B64059AACED97536D347CAF9DA9E17C71F20
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.S...........!.....2..........nQ... ...`....@.. ..............................q.....@..................................Q..S....`............................................................................... ............... ..H............text...t1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B................PQ......H........N..D............ ......P ......................................l..7.$i!.....E...U..^..98.Y.........U.........Hs...tk=Y?.S..h!.i..9...U....a..d...jwG..lS{.j.9y..S..}...n+...)..C..)...8.-.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....[.......PADPADP.q......y.u..d....5..O..IA..5....)R...Z.;...e..RH\..:..D?p..i._T.....!F.."....?.......(...

                    C:\Windows\assembly\tmp\T5PYV80Q\Microsoft.Synchronization.Data.Server.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):115744
                    Entropy (8bit):5.568536524162558
                    Encrypted:false
                    SSDEEP:3072:CwiXrhJzera3SCvvcgcWc+IEZ1GNF8L8Cy/D:+rhJzera3llIEZ1Vg
                    MD5:DA5EE020BEF41DC95C3532CBAA1EA8F4
                    SHA1:6053C6FAD74F8B47494609AF439244E69D262B16
                    SHA-256:2E933B9823F15038EAF786F0898DF03508A17ACE8620A404EDF5229AEA0B9F18
                    SHA-512:6E2FF7406D22B3FA42F3A34519F8775559080E12B3F68840012E87ACF654C21F65D8599EC42A9B6F908AB1F621C0ACAD517E85B589D38F6D06E4EB603A37C7A7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.+H...........!.....p... ......N.... ........@.. ..............................^..........................................W.......H............... $..........L................................................ ............... ..H............text...Tf... ...p.................. ..`.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\TAD5V0ZY\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.255451939807546
                    Encrypted:false
                    SSDEEP:1536:8vUKizeMYBGXXuuyxHmXOLBnk7z7eTZt0ehI1VKOBdSIA45J8TP4FfI:8rizeMSGXXuuylmGnkP7eTZt7hI1VKOI
                    MD5:C75AF8CC75FF8196D98781CA6869608D
                    SHA1:0344EFD93FF30A842EF3A0398F2C86A57FC39EA0
                    SHA-256:689A8766AEF28324028726FE45A3113805EE1632D508FFAB66871DFB2492D3CA
                    SHA-512:AC1142083CF1DE9B3C23038979E022B6DB951B5E824D63B2E8B878D0D5A4A9A30660552675F424690F97A8B9A45132EC71C91990049C3380644AC0DDEADE491F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@......(1....@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\TEHOMAIV\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):4.844651749886387
                    Encrypted:false
                    SSDEEP:192:+/irVKrLvHOWT4unvGPCX9Qmq/UKa9QMP3jTpMM0o3qasQ/4tfdz+4:+KrVKPbTpnvGPC2mqna9QMLTpM/wqJQz
                    MD5:3F2D769865D59A64D748D3C1FDE4F193
                    SHA1:EDA914C8A5CA2EF2504CE0308142C486B3CAB02D
                    SHA-256:ADB40CB6E7BFF6A455D52E2882192B68939AF58A0F6ADAF3354E678DE87B503C
                    SHA-512:92CF04CDA2E744A8EFE4A72CF25E5B61A7206A2CB4184A37A7266310483AE224001E5CB780B8E6A49451D2DD55C1504193FD166AE32CBAC724EB0EAF82927760
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....&...........D... ...`....@.. ....................................@..................................C..O....`............................................................................... ............... ..H............text...4$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H........A............... ... ..P .......................................9Z.....Y{.(6..8....<b...!.n.%.c".L....c...G$(.Y-..[..........3..,EG89.4.....9.......E..)y3_.FK.&i.i....Z..F4...K(.e(.. .............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\TKKJ6ZUV\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.294470168866414
                    Encrypted:false
                    SSDEEP:48:6Po1xe/l25dbGs4nrhfGHiETQ2J4UqMeXgX1Kth6hmLvXbro1pOor19E3Yo/gd:it/M5daFnrhO/SMpYh8U3o6oB9Eoow
                    MD5:9B05AB853C375B73EBEBBD2B21018968
                    SHA1:7AD98D8B090D2C320B0DD03AAAC12C31ED86034A
                    SHA-256:D63F692758583BB3821DABFC3C6B3C33BE3ADA7A293778D7CB24E4BB9F403C4B
                    SHA-512:6DA28EBB703A3383A9FA8C563BBFCAB6CF1968DBF10DC9D8CAFD0BEFB9FFFC1E0E5C2C554BB1FF9CFF9626F477FC9E7A23A101B69413F0CD2208102A4A1DD781
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. ..............................;.....@.................................h'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......$%..D............ ..Q...P .......................................^`e+........../...H...zL.R.....WL..2O.sO....3y.8.?M....>-...uE...d.g\MoL..x.7.\.~.+..`;....e#..c...cA.)E.F...\nN}.O:.{hM..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\TNK35R5B\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):4.219137737035142
                    Encrypted:false
                    SSDEEP:48:6UlVWlsRH25ensjnZ9J8079vpkdDXgX1sqakhahmLvXbro1pOor19E3Yo/gd:bGsRW5eninZjvudoEkhcU3o6oB9Eoow
                    MD5:2C86B7D69CA6B444414AB69985492345
                    SHA1:134DA3A3A6E3DF5511F6E53839204A8379C0DE40
                    SHA-256:180612C5701053EC5622B30336A348D8C93967BD1425DED0E48F9DD5F6E2836D
                    SHA-512:F1A65FBED0627F2109E3E9476AAA605862CCABAEA44ED9A88D17D90E853F49D4AE0AC406CD34A1847FA3BA2FA62E1BF6E881D0AA5F100260699175284D4B646A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................'... ...@....@.. ...................................@.................................H'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H........%..D............ ..4...P ......................................l)I.].<L..._...Q..X.%...<.*!Os.d.B..m.,....8.&]...9s>[kI....:.AX[.b.....D.5. e..{..Kd...@#......n/_......Q.2....=....p.I0..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\TVG5ATTP\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):15360
                    Entropy (8bit):5.059569967984931
                    Encrypted:false
                    SSDEEP:384:GrVKPCaTrF0p4a85+HZKRLnzIRXW7/hQ2pW7cFcwXDJo02p+2p7ovW:9Kj4a2+HZQLnzIRXW7/hQaicFcwXlo0I
                    MD5:9DC0A58C4B5D36A459AD6E82BE34CA88
                    SHA1:C80B5D83E486A0ABEC61A3EAE18E84934FE391E1
                    SHA-256:F44BDC07FDD193616F6A12B9BAC47759C537E30C0B66FD97169F30A2ED11CCB9
                    SHA-512:12F6FCD99C438DB662A060011B08F76475525C3F9E7C06FCEBB0287F6463646144DD134AF4AB069B40625461D45C6CE069FF61B9E11141F72F86CB6AB3A3D987
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....4...........R... ...`....@.. ..............................Yr....@..................................R..K....`............................................................................... ............... ..H............text....2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............:..............@..B.................R......H........P............... .../..P ........................................S=...~.Qs........}...}g.k!./k#......S.?NC.O...W.s.?...fR..;z........W...W..9.(..]X.h).S=cy.3..S{.g..+.$.(....o.z.x....k3./.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\TXXOS14F\SAPBusinessObjects.WPF.Viewer.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):4.319627559744852
                    Encrypted:false
                    SSDEEP:384:CYVE4QjDEqjFnbTjst/aR/hivfoTZajVbmWdDyGeOwqbdQ3KO4KwqmBJtF26wizH:CYmjKdOf9rctTHVZO58+jkDNTl4RZs7
                    MD5:F5B3F6916FA46309C239B5612161E475
                    SHA1:17DDF2F97181B36BA3D36013E5C8E8836469B427
                    SHA-256:789B6C271867293AA1BEE1B8C8BDCBB54EF32B2E4BD471BA83B61A56F24F1C25
                    SHA-512:950123784FCB6844ABA0B699F242AE40007C7ECB2937EB91AD0BC2DFC354B854F53048D8AE2901900E45266CD4C2DCE55A318290BF18BC51596996FD33D03FE7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ...............................r....@....................................W.................................................................................... ............... ..H............text...$z... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\UWK7THG6\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):69632
                    Entropy (8bit):6.195227501514738
                    Encrypted:false
                    SSDEEP:768:lvURKf7pIFBZExeJFQrKQot0wP287WeRJI/f2cWCL7s5JO6n:lvURKfdIF7EyFQrLot0c2KYWAQ5JO6n
                    MD5:E460F803921E59567106BE282F5834CF
                    SHA1:C8272B74752324AB7E5F1C1E22A34C63FD874FDB
                    SHA-256:5416C9A03128DFF803495163AE441FE68880575319A8D8EC99A617B6F13D229C
                    SHA-512:0BEB22316029EC914C620CA6E8217FAF25B1DFAC64DCA95737788F90B139C434FF320F7277EC9C75A0BBDDCFCA8C4EC66260B20E9460652E22406608D0244BA8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\UZ6MWTDP\CrystalDecisions.VSDesigner.Mobile.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.180906323161462
                    Encrypted:false
                    SSDEEP:48:6U+j+PI825eXsUnk2UUnAwTvZtq+CXgX1F76hSMhmLvXbro1pOor19E3Yo/gd:21T5eXhnkHchTvZp9khrU3o6oB9Eoow
                    MD5:87A6E0BC0D9A96E932370EF26FA240C8
                    SHA1:56F73ACAA7D5AD112680952962C623C7F6AA21FB
                    SHA-256:2F773CA57B67DFEF8DC7F62CB75812F39BAF58EECEBB8483B2E9D01F744200DF
                    SHA-512:73EF5644D929A8DE24FF9E4AB53F37C7D6E66B6571A4AF512BF6381E8873A23ECC1E3ECE96942A6B517B689D9D4490D59DDE3374E11BAF7705A3F2DD2FC259FF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................(... ...@....@.. ..............................l.....@..................................'..O....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........%..D............ ......P ........................................,.......`){2.q<<P..T.QZ....D$S.^./..%zeN....M.%....o.S...5...+..V7U.}.n..._.m...2ti....u.?5..i...O-C..F0F....|..Tr...O<(...............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPl.>..m..9.O....Y._.[...e..%h....s...L...!....................I.D._.L.o.a.d.i.n.g.H.t.m.l.....&I.D._.

                    C:\Windows\assembly\tmp\V1SUYTKJ\CrystalDecisions.Web.Mobile.MobileViewerSys.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.376550560542443
                    Encrypted:false
                    SSDEEP:96:IznMg2YK5nGmQyw/7CcUa17ngcuyZnlJyLA6nhHU3o6oB9Eoow:IzMF7GmQRCcU2IqneLA6nW4
                    MD5:1D7C41D844ECB9D534C14AFE7A394512
                    SHA1:B9D95468CBD50A830A66445850B5D5DDD78229B6
                    SHA-256:271BA3D60F63C434B1FFEDCD4915C746A2C8BFF72A08A4706AE862BD6C93DFA6
                    SHA-512:2C7691A69F52CA79F6C2681B9DEE2AC3E94F705BAF4E186EC17E0A177AD0BE95024309B298AB8D3132FA01AEBD186B59CE496A02B248C3F76F36FA67ED033AFA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................-... ...@....@.. ...............................h....@..................................,..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......t*..H............ ......P ......................................WK..B.T.$..{\c..8/......1..I...@.K.....>*@....5.g.j.J...._..x...-......3.|.R.g..f...'..\.... ..w...r.....F*m..o.3.....................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......0..D7...b...m.M.{.....$p%..........s...F.z...k.c......$].%t.;.".?..P4.._...`..%h.F.x|...T...

                    C:\Windows\assembly\tmp\VMEZVSED\CrystalDecisions.Shared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11776
                    Entropy (8bit):5.048498126412034
                    Encrypted:false
                    SSDEEP:192:FQqirVKrLvH34cFU8Jud8pzmmfqawrDodMw9vHS8F4:WbrVKPXDFU8JG8zfqawwN9v5F
                    MD5:F72AB988E53EEC7D9AE07A48145F402E
                    SHA1:52A88439908968FFAF6083965C8DA1953D867345
                    SHA-256:76D3660FF16DB98924A19AA1086AB83FE13A12B5935633CCB977C01888048082
                    SHA-512:4D51DBEB07BFDABA695B1F382F28650040B10AF297A541854070A30D89EB22FC9AC20BF5D367D1C1968C4F6801E01643C8D34362009C4F01184F31CFDCD155C3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.S...........!.....&...........E... ...`....@.. ....................................@..................................D..S....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........B............... ...!..P ...........................................07.......R.Kp4..v.1.....O.Y......^...uQe.LJi&...:P..((......Qp....s...~..p..........7..WTK...4.5.b...B.33...T-u4.w...!.............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP.Y....w..{.c....m.........Tt@..O..f.)I..*.[.K.5..=N.1.y...,.:.......-|D..KQ....$%#.......?..

                    C:\Windows\assembly\tmp\W2ZGPH3Q\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.161876902991835
                    Encrypted:false
                    SSDEEP:1536:/vUtnZSeYfCrnIerZ6A12xObBvhcVCLIICb55Jn+O:/UnZSPCrjrnAico3CTJ+O
                    MD5:77A9F047A1387F68EFA8003CC321B504
                    SHA1:8F8D9FE346B36975D54255AB6449E1FB62FB0AF5
                    SHA-256:A07B7F89E93EE127D9F37F48BD03029D935C47C2FAB505E20AA10F17851F2547
                    SHA-512:7F6DAC3BF7CE113F678F1EB5FFF8DAF8BF1519544FA4886AADB058692F50A5FDA789B67874BF677381D3FBB8E2E36E45A48ACBFD01A6E6E246CC520E02D9DA19
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......N.... ........@.. .......................@.......C....@.....................................S............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\W5WARI3L\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.939724459135519
                    Encrypted:false
                    SSDEEP:48:65+hL/dJfv7whXClR4XDoa1dhfIl+Yb2LcrzxHrDfgt:nN0ClR+9dhfRJytLr
                    MD5:26A0240CB8753835165F27BD163AB973
                    SHA1:5B7CA1CE591D6DC811696775B3D7087373354D51
                    SHA-256:C5CD6BADE6B1E6625215A9908773821AF1FBF3861FDCE2E11DF027051C2FDDD2
                    SHA-512:036F4769908314314FCC634A2FED190A2BDF36BF6B97722FC9884151BED5976BEF7CE4103C4C38C78CA4518D98867BE30A81565929466EEA2817EBE99553DCF2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................>'... ...@....@.. ..............................n.....@..................................&..W....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ '......H........"..\............ ......P ......................................$.r/9..N..K.L.._..Mp.n.y$.m..+.....{f?..M]...:...>.+d...ZG.6.%..EZ.d/MX;b..o...T.C...w.6h.+[..c...*...../P\\!.m#..f..V9*.#.................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E.}.

                    C:\Windows\assembly\tmp\W7Q0HZGX\SAPBusinessObjects.WPF.ViewerShared.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.8523616977109887
                    Encrypted:false
                    SSDEEP:48:6Inp4dfJf9hpk0L3ClR4XfooRhfMl+Yb2LcrzxHrDfgt:pp4dPjjClR+XhftJytLr
                    MD5:88A058161B46FB5AAA599E9B812ECA6A
                    SHA1:8C1EC6CA388F76846942E1CE208FFC77C7F49B61
                    SHA-256:2344C0BE4DF71BC32AAD933A23490BC3AEE04BE033882193AB7BBF79B9E18376
                    SHA-512:6A7923656A7069896FE35C56425E9D3A5B4E45E1428914988A074F5CF4465CD445BB1F96541D08B6755869461E24BE64578DDD1727A4FD30674261A7CBFDA04B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................>'... ...@....@.. ..............................L.....@..................................&..K....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ '......H........"..T............ ......P .......................................Ud...y..]....xz,`.....x0...8.&.[~D.lQ.....Jr..G......_...C7yX....Q...*.x......n.......&&.P5e..Y..N.O<}.z.Z.[...*P....................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP&...<..a/...........*I.D.S._.F.L.A.S.H.O.C.X._.N.O.T.F.O.U.N.D......I.D.S._.V.I.E.W.E.R._.N.A.M.E...

                    C:\Windows\assembly\tmp\X6A06IXJ\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):7680
                    Entropy (8bit):4.701996783887899
                    Encrypted:false
                    SSDEEP:192:BQQz5NPctMyMdW3x+kZhxnLnQwfuD7yKX+j1y94:Bfz5NPctMyMUB+kZhxnLnQwOOKX+j1s
                    MD5:F15F28F9C6966870BDB89BDB97D52921
                    SHA1:7CFC21BF6D24DFBD45FA523CD9327B1CFDCEF3BD
                    SHA-256:81C2C07D6062A1AF80876D8B459596E1488988214F3A553A25EE7CEDF51694DE
                    SHA-512:92EFAD1449F94D80570A5F786974D0AE339737FB2F1CCC4979436DAB546D38AEFD9674A4A20CD7434C2FFE39C70A7AD5532FEBAEF4BCF000DAC7D2252F3223F0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.................4... ...@....@.. ....................................@..................................3..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........1..(............ ......P ......................................}z;..u..a..F\,m.0.k.d,...`..Vfi#k..[..4N..x.1g/.1a..\..H.....c......>>..+.e....Jg......N._.Q....?.L..p._1qC.D...t......d..*................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\XQ75BFL5\X1VPPZ21

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):565
                    Entropy (8bit):4.5775485673710286
                    Encrypted:false
                    SSDEEP:12:daENNF7aPo525LJdnflVqoFl2v1/tUj/ik5Mo4xm:oEnF7d25Lb3qon2vJtQN5Mi
                    MD5:728C41A6BE9A4A809F7E063FFA2F56D1
                    SHA1:E14B712F5A92A18AA5206119003149F391E9C13A
                    SHA-256:9782EC0A23145FF2CAB56496DE4F6C9AF6130A0E3C654A0F3A9C93860A2054AC
                    SHA-512:E257B06772F351CE9E34F3039665EA545A4151FC686125EF951E6339D3CAD007C081F5257724807D26BCE23157C4F370A6550AAEBC6ECC748B40FBB7D939ECD9
                    Malicious:false
                    Reputation:low
                    Preview:<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Data.SqlServerCe.Entity".. publicKeyToken="89845dcd8080cc91".. culture="neutral" />.. Redirecting to version 3.5.1.0 of the assembly. -->.. <bindingRedirect oldVersion="3.5.0.0 - 3.5.1.0".. newVersion="3.5.1.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                    C:\Windows\assembly\tmp\XQ75BFL5\entitypub.config (copy)

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):565
                    Entropy (8bit):4.5775485673710286
                    Encrypted:false
                    SSDEEP:12:daENNF7aPo525LJdnflVqoFl2v1/tUj/ik5Mo4xm:oEnF7d25Lb3qon2vJtQN5Mi
                    MD5:728C41A6BE9A4A809F7E063FFA2F56D1
                    SHA1:E14B712F5A92A18AA5206119003149F391E9C13A
                    SHA-256:9782EC0A23145FF2CAB56496DE4F6C9AF6130A0E3C654A0F3A9C93860A2054AC
                    SHA-512:E257B06772F351CE9E34F3039665EA545A4151FC686125EF951E6339D3CAD007C081F5257724807D26BCE23157C4F370A6550AAEBC6ECC748B40FBB7D939ECD9
                    Malicious:false
                    Reputation:low
                    Preview:<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Data.SqlServerCe.Entity".. publicKeyToken="89845dcd8080cc91".. culture="neutral" />.. Redirecting to version 3.5.1.0 of the assembly. -->.. <bindingRedirect oldVersion="3.5.0.0 - 3.5.1.0".. newVersion="3.5.1.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                    C:\Windows\assembly\tmp\XQ75BFL5\policy.3.5.System.Data.SqlServerCe.Entity.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):10096
                    Entropy (8bit):6.245127063738307
                    Encrypted:false
                    SSDEEP:192:uRaRpWWSW8QKPnEtObMacxc8hjXHUz1TrO4zDbF7:ugRpWWSW8LXci2jXHUn5
                    MD5:7EEAD2054AA6BE9AB2B3245CB19320AF
                    SHA1:7DD9BD901B7EA8E96087B1B16D791007B46685CC
                    SHA-256:12A4803FA7DF14BEB0075C208679B1115C3CD3BAA0703739ADC7D373774337AD
                    SHA-512:EF0FC34654D9A084BE2DF618A003F463EA04FAA679BECEEC587E815F98CF8D52296418AF1B805EA8725E2CDB80DED16B6D909F65BE55F031666AA6C5C21E751B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=;tK...........!.................%... ...@....@.. ..............................*.....@..................................$..O....@..................p....`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H........ ......................P ......................................w.kY.....t..?..[z.iYl..H..`..{.OT)..C%....>..O5c....t..,..5...Sx....5..%.Bj...j.........#c.....[..I.B=..bW.t.Pqr....BSJB............v2.0.50727......l.......#~..\.......#Strings....x.......#US.........#GUID.......\...#Blob...............I......3....................................................%.....H.....a.....z.........................B.....B.....B...!.B...).B.......................#.....+.

                    C:\Windows\assembly\tmp\XU5MHCJX\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):3.9698775525948657
                    Encrypted:false
                    SSDEEP:768:LLPh/AzHsX0CchkgWc+58DQ1gsH5R5TvQwxG:L7h4LsX0CzcrM5R5T7xG
                    MD5:9BBD5C48F258A0BBADD75E1AA958ABDD
                    SHA1:0B263020E657A4546C573BF6B609812CC32E95B8
                    SHA-256:7F4BF82E5B7A2EC45E7C8E33EFCEFD881E8B6DFEDB55396CE9089DC91E0E102A
                    SHA-512:65CDD400B45D5DF7E96500C90ADC6C9A6E59C030DF9F70400A8F43EEC052BE7DDFECBB0D338310E631D2A0CDAFA034CA14E8FFF50F87BDAB2388B4C7F0B1270B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!.....p... ........... ........@.. ..............................`.....@.................................l...O.................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\XZ3MQY35\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):53248
                    Entropy (8bit):4.218665708409912
                    Encrypted:false
                    SSDEEP:768:XLPhoykgCsVO0zPHOXdIzbx465oBUWykg9la+IeZVaQxai/qyheXHsqBajJ95Pho:X7hoJbWEoid
                    MD5:318C02312F56E1BD4443A7500602D30B
                    SHA1:E9ABDFD247E14C732873FE6C1B4220D206129BC0
                    SHA-256:A0A76FEB22127636BD19EC19F1A816EA771C87940B02314ABD162B3808C0EF54
                    SHA-512:68C7BD52722E62DA03817BAD52271593D87A129FEF0F1FE3CB553E7AAF7C5A764C4F2B3A3218A81B6785D8CD4DD8F050F0D901AC56DF435D83E620E100ACA1F0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ........... ........@.. ..............................S0....@....................................S.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\YY1KAYSV\CrystalDecisions.Web.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):6.233814304322318
                    Encrypted:false
                    SSDEEP:1536:8wvUl9RC4PBxz6SwHrAL4iIunHKn5JYgew:8wU9RCMBxz9wj1KGJY7w
                    MD5:8F712F1C30F73261B14E0C25809386FE
                    SHA1:1007C412F2E590EB6DC21F873DF31105BDD06218
                    SHA-256:1358FB46C804A4BA360969CDBDC33CC368C4D20A2718057F16DBE4C0BFC8935A
                    SHA-512:E329B34B40AD0DC23CF709C3104C401951320F8C378A26DCD2000A97B87D6A25C00798E253F90CEDE2B1B292BC5CC4AC8B5C91C43FD1B287F40663AB230E0BBD
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......~.... ........@.. .......................@.......3....@.................................0...K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\assembly\tmp\Z5Q4A05T\CrystalDecisions.ReportSource.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.690741536942213
                    Encrypted:false
                    SSDEEP:96:f7Viomn5vcgMFMd6ZREUGF5jNLQnvPmVK7ypo4tbokeIyvhkU3o6oB9Eoow:fxd45vcgMFMd6AUG/jRQvPmVK7ypozI5
                    MD5:B1AA0E1B1EB3CB7FEE4818F2F15B6C59
                    SHA1:2691AA08C9E442E315CC3C77AEDAE6DD1B9CB8AC
                    SHA-256:A42064FEC9312F6473DEF921808FD7655F3E394808EFF2234C20CBDC162C6D0E
                    SHA-512:8BC8562AB690E01D2D6FC2BBF0A0EC1F6A528EC219196DB984C9F8A05C6FDAE42D6C9B1A5CF6338D80DC50D38EA682FFD3032F27F627293DEDE3A00F433842E9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!................./... ...@....@.. ...................................@.................................X/..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......0-..(............ ..`...P ........................................"]y=..-......y.....R.K.o.M.9)......[..u..<....P........P...;...m.F....{...7p.l4....7...,D, ..I'.Ru5o hR[...x....p..ef.Y\..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.........O...5.q..)Q.;...e.._T.+_..=H.."...,....}..d'D.X.4..M......9u.....S.....S......!...(

                    C:\Windows\assembly\tmp\ZP2Y2ZJK\CrystalDecisions.VSDesigner.resources.dll

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):45056
                    Entropy (8bit):3.899189472238229
                    Encrypted:false
                    SSDEEP:768:ILPhK9cCRdIcjFrVzbYCSPeffo4ZQrAEsI/:I7hKaCRvjbzbYCSPeffo4ZQrAEsI/
                    MD5:229D63B9C1A8DF984B33B5729354BDBC
                    SHA1:AF5D3221C8B60C5304746A02B6B3CB45611C1EC8
                    SHA-256:1C806F71A3CEED449BF627512D3DD3B09C13A949CA2208F02EEE2B4A50C4EA8B
                    SHA-512:762D6DDB330A44C41EFDDA15B4863BDA6BE0A51243BE222757D7D3C734B59F2BC9CB544323F4A7B34106F03A1B66177B216894DB8B436B28269AE7529F6A61C1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...........!......... ......>.... ........@.. ...............................z....@....................................O.................................................................................... ............... ..H............text...Dq... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 2550826 bytes, 11 files, at 0x44 +RA "gdiplus.dll" +A "usp10.dll", flags 0x4, number 1, extra bytes 20 in head, 174 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):2557362
                    Entropy (8bit):7.9990793290681115
                    Encrypted:true
                    SSDEEP:49152:4/o8IvVdhJh0qXtzi+5NIerMQ1nUBJOxB3ZTkhXxbHdm+68uQ6oGdRyvV+:4/oDdmUtzFTIiBUfmB3ZQBxzs+gQpLvI
                    MD5:056862CF6626F082179B637C163076F8
                    SHA1:C816F17004D51AF1C25DB6FF8208C74EDF7E2E76
                    SHA-256:A612E9E19DF002BE18B42AEA7FC2D554CEA2A3ABDE0A74EA081992E79F1CCEB5
                    SHA-512:DB36B9D42CE28E8AF0EFF8B930D86ADC7F38659F4047A5B04D427670426AD2D9C661BE3BE199EF3B8550CE618313906C7342D0234C2D5F078AB6B508D6A29411
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....*.&.....D...........................*.&................................0.^!.gdiplus.dll..E........Y>. .usp10.dll..i...`.....D. .PrintControl.dll..5..X.#...Y>. .pvlocale-1-0.dll.......+....D.. .csprintdlg.dll...........Y>z. .xerces-c_2_7.dll.P.....K...U>3e!.msvcr80.dll.N.....U...U>3e!.Microsoft.VC80.CRT.manifest.....f.U....DX. .PrintControl.inf.L.....U....DQ. .LCIDTable.xml.....N.U....DU. .DependencyInstaller.exe.[.T..G..CK.{XT......&......:*G.P.B.".u20.....B.1%.Sc...s..C..R..+..KCOG.S.+....v.f...O.$.|..s..../.y>....~..].......!..6.!.Dn.........G>..X.r..c}..~rAP^..'.g<.4s.y......./.....GR...?+'.S'_.}..~...9.?F.....c..'.yl.....W.7........%Z...2c.t]..?....8.cM..I..".C.Ni....>....2.S:.:...Fg:...<.......Y.C:...4.....|..~....M.'.R..,b.....n.. .^.....`N7..Q.`........a.9........P..3>G...Y3.f.....;qM.}..0q.).g...".......X....,.A.L.%..L.<...^....3w>.d....bl..._..g...u....:ZG.h...u....:.m.Z.2.....nP...U......... ..|P.^....`.8.........H..... .../......g.Ep.x>.O.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_cs.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23168 bytes, 3 files, at 0x44 +A "PrintControl_res_cs.dll" +A "csprintdlg_res_cs.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29768
                    Entropy (8bit):7.947828122635172
                    Encrypted:false
                    SSDEEP:768:XUfW0r7hsVmBTnE11WTep2mjcfgEi8js5Jh:EftrmmBTfmMgEi8Y5Jh
                    MD5:A2742530E61CC842141C0A12C0EC564F
                    SHA1:5B22B7E3A6DEFC02F1FF3303889146A64BC0A3D8
                    SHA-256:D122FBD5463301C727338AF77B53AE4A77F967D9152039BBB8A39A4102EFDFA7
                    SHA-512:D6714B67D8B116742A97BEEA5B0CF3805FA3C2D33A811DD7328B5B51EA9529EC9A911F6260BB20164229CE2EE5CAA071A714DD2CCDC8420F4ED51E0ACB95509E
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D& .PrintControl_res_cs.dll..7.........D.. .csprintdlg_res_cs.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..>.9.-..CK.Z}t.U...t>:_$!....aaG....u..t'$.&.. .%.."i.t...! `p.QQ....E.e.Tp..Tt...;f=..D.qYeVTtp.N.q.a......r.....>.T....{.{..}....{I*!...... .SI....W....~..S.X.oLi..F.,..|....bo..r4l....^{...Jrs..1..X../.r.j.'.[...jv.I......1..@L..SC..b%.x.q...")S.-...@a....eg%..B.O.~'..0.....i....=......iC.yB..W.!...4....D.......J16.~.dk............y..+K..'......0..yBH.3.).o................j.9.>8...}./.M.-f..n.k..u...F.q.hW...py.......eAa. .l."bT..%.P.,..(.B.e....aU...}t...\......C..~.z.W.8EY..l.q......Vv;.@....."..Z...dA.f../I-.9.V.bX...JY...GJ.......>.t"....!=....8&..{.]B{pX...........3..3.N..Q+.p....U3.o...w..[...u\.0.W.X.........~&I.J2(...qp...ZJ.~.....V...........~..............?e.....ap5.3......\..?....a.V........,..WA....\1...X.rG|..U..nC..0...N.F..|....X.u.....o.Rk....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_da.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23069 bytes, 3 files, at 0x44 +A "PrintControl_res_da.dll" +A "csprintdlg_res_da.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29669
                    Entropy (8bit):7.946307993444019
                    Encrypted:false
                    SSDEEP:384:7LCJbTDnF+1CUlhkR6V/6BTTaohHknP787w2VtPa2+ngBHEJJ2DHh4exZnvnYPLQ:UFWhkRfthEY82VhSn4gS4eTs5J+
                    MD5:A025626D6E7A6FB6B9C81EB0FFF8B57E
                    SHA1:635AF4AC87F71EBDBE062D70FB704C2C282FA788
                    SHA-256:6C37A7CD5828ED4327390E829C3F188102A4D1FB0132FEABA1A4FF460C387F44
                    SHA-512:6C3B3F444F7349656997972DFF0273C79F240D9F486361B5FB08DFEA894A0078926FE1F6BE8A40EB9E8EBC2A3A48BF56D7650DE25523398338A28A30651A0A30
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D( .PrintControl_res_da.dll..5.........D.. .csprintdlg_res_da.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest. .d..-..CK.Z}t.U...t.?HB |)....+.@.".t'$.&.. .%.."i.t...!A.. ..F.W..GP...Xf.....Y.*..a]V........t...z....+...g.J......W..w.....$.B.p].L.!B?..w.....b.9...C...S...a.$..2.n....Z......!.s........iL..V..+..m..I.F....oS.(..z......|qW..X..<...$iJ.%..$(...y..~O..'D..AZ.Oh.<Z/zgj@..c.p..5..C..W.!..4....X.:.....J26.~.ds..........Rcy.....a.GX..-d?a....c..L.s.....~...|.Y..+..(....|..~.K.h1..p+\. >.KM.....E.j....W..65.V4...k.yU...#.O(...d..@......p@...<N..3.N|iC.K.......}.C..a..*W.@..tU.}N......M....'w..>(..0..>Ijr....C.,.W.Bx../....w$....S..L..t...n.........;..cp.......t...L...u.J.\...q.......].....E.W;M..4V..I.....m..M.'.4J..uj........I2.....~.4.3.KORl.j..a...........6.S...0.....y..ap.......a.f.......3,..WN..$.\>...Z.r{l..u..>C..0....F..|.....;^'...^....5.~..{

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_de.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23169 bytes, 3 files, at 0x44 +A "PrintControl_res_de.dll" +A "csprintdlg_res_de.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29769
                    Entropy (8bit):7.945457388094454
                    Encrypted:false
                    SSDEEP:768:qRBSVbS6pu5JlAOkmaqS7t/dKcSjs5JI6:qRYVbS6+lAOkjqSZoY5JI6
                    MD5:2C49C08A3B88CF0A5845775787A85A1A
                    SHA1:EB4B90A7806D6F3E1804E3AA24B17521075F5C57
                    SHA-256:8E4003D13F96CDC4DF78F3998E8C1C9836DDDEC8B1E9A2C0AFDEDA1D4F54FCA7
                    SHA-512:C644931C5A6087658E63770E5A83EC2A3984F0DE709DAEA1A3D2C97AE49EAC2B38F6A2DA3BA48018A59C86BD9298B61D3B82542ED5E07DE7F2FDFEDDC3027A4E
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D. .PrintControl_res_de.dll..7.........D.. .csprintdlg_res_de.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...q..-..CK.Z}t.U...t>:_$!....aaG....u.I....@..t..Jw..v....$ `p..Q.......qp...AAO.Ae....tX.UfEE.....g...z....+...g.J......W..w.......B.p].L.AB?.......b..o{c.A...I....]..6....pXT.].......k...BInn........eB...Z...K.z.b...;.h9.....v.4_<..-Vr..'..v..L.d.....30.]vV..)....w2@..:,L.O...L..Yf.....{.e..CcUgH&.v'..o..)Q.n..5.R....0.R".x.'......x.<.y%rD....h..K..<!$...4..|.......}.......J.9.>8..^.._..>Z..)......k.....p.Z(........]...MK.B. .h."bT..%.P....(.B......aU....U....lc...N.z.........NQV..+....].py.n.f.9.....@k._^.Q..,H....%..#..S.+..Z!.........;..U}..DJ%=.Bz.{..qL<..4..;..cp........Bz..}:.I.:j%.....j..mp....}S.....&.J............&.SI....:5..pYKI......b.c.t..6......}.|....!.cC.M...20..&~&x...}..K5.g...g.........a.T.26E/W.".w...._.x....P.5....3..r.P..I...w........`.l..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_fi.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23111 bytes, 3 files, at 0x44 +A "PrintControl_res_fi.dll" +A "csprintdlg_res_fi.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29711
                    Entropy (8bit):7.94912734712431
                    Encrypted:false
                    SSDEEP:768:HmeSknRr6A12xO1EH2XDQ9enBAuB7kp3VkBK0Un7NIEHbWs5JEn:GerZ6A12xObBvhcVCLIICb55JO
                    MD5:2080DBDE386CC20C17A0771DD6774635
                    SHA1:AA190907A3832BC0647831D8DE451D3844A2D5C5
                    SHA-256:9178646D37B4BF17EA160B74378CC1A6F1E32A87371A8C4CBC626F414D020B05
                    SHA-512:6E73E338D8EB8A6D912FADF976DE58599EF925D4965A2BCB95136E2B07D8B66B85243AF2247C823DF99527EF83859EFF68512A56C49F94EB18F5889E47B6010A
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....GZ......D...........................GZ.................................D! .PrintControl_res_fi.dll..7.........D.. .csprintdlg_res_fi.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest....,.-..CK.Z}t.U...t..|..@.R....1V>..E$.NH..M:.A.K:.E...*......ADD.....GP.......x..*;f=..D.uYeVTT......c.}.....r.....>.T....{.{..}...{H*!...... .g...O?\.._.%..oN9`r.9..-.....*..m~_8,...&E.`..\....8''s..q.....>g.z......;..6zG.R..{}........L>..)...")S.L.BR....<v.X...(.'D..A...01q.R/vgj@..}.p..xNW~..C.3.B...F.#...|.....C).F(.0.\,.|.....@y..<x......'......0..y|H.3.).o_............&..j69.>8.3_.._..>j..)...:........pQ..(..r.........A...V...!*...@(D..2....r^...0..qzF....`.._......\....or...]U_.j....JWu..4A..}..I..4..5....x...b.(6..`Xv.aY.B.$>.ju....?.|.....1.t......p.1....%....Q.[.~..t95..qp..w.........8...~..E.Kp..7.q..._...<...?....3I.T...q....)...$.G.jR..i6.._..p+|.I..W..1..;.~h...0.).<...............s...,..w..7........f9.rB.h..9...............q..w.uB...}..~.....B.....6...r/

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_fr.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23225 bytes, 3 files, at 0x44 +A "PrintControl_res_fr.dll" +A "csprintdlg_res_fr.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29825
                    Entropy (8bit):7.946995790730439
                    Encrypted:false
                    SSDEEP:768:Bsg/wzbJRdi2ROI/0LYK+W3VO5RBGs5JT:CRm5I/0Lv+vt5JT
                    MD5:735E13B5B2030A61ABBC14F0C26127B4
                    SHA1:C6B40ECC82C722E91F009F7E56F4F6D75A439A36
                    SHA-256:5A932C60BCBF8AB0ABD2276B94B394DE5E5AF8D05B5B7E72305D80C9D30D4EF4
                    SHA-512:DF3119E985B05E4DECA2FCD45DA5579261842E1B8D28326AFDE72FB3E00A1A78FCFC09FEA610991C163723D8FBB49AFBFBA73FEA38FAE83199A6AFAFA1D1BD59
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D. .PrintControl_res_fr.dll..7.........D.. .csprintdlg_res_fr.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...?..-..CK.Z}t.U...t>:_$!....aaG....u.I....@..t..Jw..v....$ bp..Q....#(...,.......Y.*..0.....j..."..^uUwW..=;...'.....w.}...W].C/I%.X.t....~..o....7..<r........S....$.m2.a....[.....a.k...!.....iL.eV..+..m.....&....7.w..rT.7...i.x..q[....{5..I..m.$$.......;+....~B.;.....0q>...35.g..S8Bv.3._ ..x...I..I#..~J..[..X..c#..L....^.....*/=...|A........B...x"O..~&:...L.U.?6..._.s...^.!G...a.+.....G..8...Z..a}z...p...U.e7\...!...1..iEP.....BD..~.$......eW(.B.#A1...[.z.{..^t..q}........NQV.u.....].py..n.f.9.....@k._^.Q..,H....%..#..S.+..Z-...k...~.|G..?.H...CH..p.;....F.....G.n..y......L...u.J.\...q.......]...$.E.W;L.54V%.).....-..I....J..uj........M1.....~.6.m.7%._5|.0..a.C..G..O..9.ep.\M.L..ap.08.j..ap.0x........i... d|.^..C.o-..#.|...w.......}._%.]C..$.S..O...4]/.....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_it.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23078 bytes, 3 files, at 0x44 +A "PrintControl_res_it.dll" +A "csprintdlg_res_it.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29678
                    Entropy (8bit):7.944927973124579
                    Encrypted:false
                    SSDEEP:768:eeBmgrAL9dE2DGFuhf951KqgZD9kls5JYP:hHrAL4iIunHKn5JYP
                    MD5:4AFFC8956574F3D8AB5E5D407C4AAF5C
                    SHA1:D77067214B4F1B5EC14E064956AEF20D2FC2EF8C
                    SHA-256:86D93405A42941651265194539E6E68EE7C1D7AEE1F9EAD3A6349A8CC8B4F948
                    SHA-512:294FC975380F4FE94614D392F14A8336317E47B083CE14323207D8631FE05C2E4417B61FC176E27E0DD5FED42A8581C9A9628E542688C90A17FB5FD7FEA05FFB
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....&Z......D...........................&Z.................................D. .PrintControl_res_it.dll..7.........D.. .csprintdlg_res_it.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..^.).-..CK.Z}t.U...t>:_tB |)....+.@.".t'$.&.. .%.."i.t...I@.. ..F......qP.afP.uP.!.A.%:..*3...ct..,..[.UWuw..3..}R.~..{......{.u...TB......9@.g...O?\y._.#.-.O9`r.>..-.....*..m~_8,...&E.`..\....877k..q.....>w.zmx..Q.w..M..e..U..A..b./.*B\&39.....;IR.d.2.I../.he....{.m?!...BU.....^......N....+C....8C2..;i.};.O..w.p..:..o.....b)..}.|......g..X.H~...m!{.s<...?..d..K.U.?6..._.s...^.!G..........G..8.[.Z..a]z...p...U.e.\n...{..Z.<.w..z>"D%?_....B^..3.Z.K...V.y.../......v...(<z.M.....!H2.vU}...3..+].e...!..E.&1....Dd_H.E`F.....a.!.eI......\....H>f....1.t.!....n..x..ip..w..G.n..9.+..t...L...u.Lx\...q.......]...$.I.W....4V%.).....-..N....J..uj........I1.....~.2.-.'%._U|.0..a....G..O..V.28..$~..u..6.....`..=.....2B6.r..0...........;.Nn./.....+...N..|.+..$.k].....t.V^..=....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_pt.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23084 bytes, 3 files, at 0x44 +A "PrintControl_res_pt.dll" +A "csprintdlg_res_pt.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29684
                    Entropy (8bit):7.945762551277493
                    Encrypted:false
                    SSDEEP:768:kHQM7ZBBshAQCS6pu5Jqe8PqHSZCIk0iYs5Jo:GQMNE6S6+qe8PqYCB5Jo
                    MD5:B7FE468D01906728261670F6622042D3
                    SHA1:CF96AE75CDA2EAFD8EB1F87ACAD764C061897C1A
                    SHA-256:ED2125795439F4A4DE5587E1683F2A7A342A64F79F677E519BFFF5021240EE5D
                    SHA-512:F895A95B6999A03A339E67CA19F9A0CD7180B405839117EC92B3D9064F338AE300B3553E8063FB7AADBA733C27BEEC252ED2440DD6EC92137C5A738306602C61
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....,Z......D...........................,Z.................................D. .PrintControl_res_pt.dll..7.........D.. .csprintdlg_res_pt.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...ME.-..CK.Z}t.U...t>:_$!....aaG....q.I....@..t..Jw..v......08..........88....'...uQq..:.2+*:8f.8.,..[.UWuw..3..}R.~..{......{..7..TB...K..9D.g>..O.\y...#.m.O:dq.>..=..K..&..v?.....U...=....{..b@(....t\f...\..]...omR...f..2Z.......1..O5!n..|..c^.;ER&e[2.I.......;+....~B.;......&..bw...,7v.G.}.2t..3$.P.......(B....C).F...l)......!.T^z<.....9"..k....'..D....Lt..{&.W.....>...!..{9..e...Y.|./.K.-f..n.k..u.....q.hW-..py.......eAa. .l."bT..%.P.,..(.B.e....aU...]....8...s.'.8.=....iv..".].P.n^......r.j..#...Y..6..5......H._..=r0.8.".....Y))%@.....cU..:.RI........w.......p.aq..6......ZH...O.;.[G.D.u.p.WMp.....e.oI.[.q..._EcU..B.......$y*..n\...}..k).....s.ZLp....._zR..U.w.....?<.~l....>..........?.n...R...?....o.|[9!..9.r.1...M........ w./......qa.w.U..h.#.....O...2M/.`.?`.O~

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_tr.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23067 bytes, 3 files, at 0x44 +A "PrintControl_res_tr.dll" +A "csprintdlg_res_tr.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29667
                    Entropy (8bit):7.946011430229293
                    Encrypted:false
                    SSDEEP:768:fo9C57Zd+fO7/JsVmBTVvlDjlYAo7tjoYA6Ns5JA:PtedmBT7qpjA6K5JA
                    MD5:136235FD2D1BC8A89171BD118564B83E
                    SHA1:F7D1234E842F1E16329E020CCE63DC89B787403C
                    SHA-256:3F527CBD7CAD5F18507D0D8F2A77B2472133AA2967363B08C5D935612E2253A9
                    SHA-512:3C6406265ECF3B7E322803DA7C8CE41208CDAB6FF3E9B9FD7F99E7D80468B16F9D9BC1C858044C2DA3032BD7EF276BAAD434450DE6D8056E1902EDFC6D8E6F4E
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D- .PrintControl_res_tr.dll..7.........D.. .csprintdlg_res_tr.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..0...-..CK.Z}t.U...t.?HB |)....+.@. .t'$.&.. .%.."i.t...I@.. ..F.G..GP.A...AEO.Aa5.A.%:..*3.....8.L.......1.gg....R.~.....{......!..+\.~K.AB?..w.....|.9......k....a.$..2.n....Z......!.s.........L.EV.{......Q..F....7.w..rD...|m.i....qY..z....."I.,.$Aa?...ec%..D.O.~'..0..0q....35.g..S8B..0..!..D...N..)....~...K..x.$c#..L6..~^..y..*/5...|Q...}....B...x<O..>&:...H.U.?6..._.s...^.&G............L..pm...!5Q^.8......7\y.{..Z.2 t..z!,Fd.P....bA..3.\)...R.y....m...|..'.N.)...^..M.QV..k.\M..PY....&.9....$.K.O^.V..,H....$..-.B.C.)..\#..5.\.......S..L..t...n..x..)t...aq...p?.wu9....p..w...Z.....8...~..%..p.....j.....8<...?....3..d.Fi.NM..4\.....5I..4.../]&x.|.I..W..9...........S&.T.28..&~&x...m..K6.g...{.....e.l..4.a&..21I/..#.....[.....i(......+..l(.$.....WAg.^...!......

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\ActiveXControls\PrintControl_res_zh_TW.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 22717 bytes, 3 files, at 0x44 +A "PrintControl_res_zh_TW.dll" +A "csprintdlg_res_zh_TW.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29317
                    Entropy (8bit):7.946841111964851
                    Encrypted:false
                    SSDEEP:768:2WhaOwFUOQATDteaDLlCnSwvdDXHKUs5Jn:2WhaVFUOHzDxvY1XE5Jn
                    MD5:236D1D91FBBA9FB56600F0E4E632AA11
                    SHA1:5F84A9A59D353D67A437811785F5ED7CEF4DA3AE
                    SHA-256:67A2BBAA031D74B115A2DEFEDF4535F30770D0CE05B4579E906FF9F6F283BCC2
                    SHA-512:E4A62CD58524E207F256B5E3B763680F040DBE07253E9FBEC25370F4FEB6A3310067FC590C7B090423B1E891BE5782D5078DF6E42F2B186D2F7CA82006CCE3B0
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....X......D............................X.................................D. .PrintControl_res_zh_TW.dll..3.........D.. .csprintdlg_res_zh_TW.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..j V.-..CK.Z}t.U...t>:_$!....aaF....u.I....@..t..Jw..v....$ ``.QQ..+....qp....EO.Ae...KT.e..AE.....g...z....+Gf...3.I......{....U...KR.!V..]"....y..?.p.M|!....>.......`...b..w..|8,*.V..G..`..Z.w...$77k..q....2!w.v.{..I.w..m..e..U..A.;b./.jB..+y..'..v..L.d.......g....{.m?!.......Y.8.......)..O....9<Vu.d.jw.e...~J..[..h..c#..L....^.....*/=...|^........Bv..x"O..~&:...I.U.?6....s...^.!G.....+..._.G..8.o.k..5.....q.hW-..py........A.K.W4..1*...@(D....]..RA.......~o...b..Q.....-.7p}.S..a...jwsW0\^...1..B..G.f)...WE.>$..0#%~Ij.......,.V.Bd.......`.....cU..:.RI.....p.;..mpO..~..8.w....]]N-.g.....V".:.x...~..%..p....j......<...?....3I.T.Ai=.N...$\.R.....)....../.&.............?.~x...0.)..._.............s..................f9..B...Y...b.;..........qa.w.U..h.^Hb...5...{.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allInOne.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (65379), with CRLF line terminators
                    Category:dropped
                    Size (bytes):449249
                    Entropy (8bit):5.493020874736691
                    Encrypted:false
                    SSDEEP:6144:x9QqU5/ZyxV9KpGnRn3uGDYSoZEfwU1MpcF4SRMnAKRnXONkJJ:XQqU5/ZyxV9KpGnRn3uDSMEfwU194yeJ
                    MD5:BAFACE5B076066CBFEADE33B81B7EFCB
                    SHA1:9705402206EF5F489E007368A5D9DF07F5C060AD
                    SHA-256:7D2BF31A3B781E28E3DAB51FBD5629C18627062DDCA94D9B8CD4317946EB988D
                    SHA-512:6351E30F8FC160503C271599296784F42360634612DC29B9DFB5ED4C6DE34BD6AA575DB41AAE0196DBBA58E56DECD65470D891F381A379AC29F282BE101ADD51
                    Malicious:false
                    Reputation:low
                    Preview:/***....MochiKit.Base 1.4....See <http://mochikit.com/> for documentation, downloads, license, etc.....(c) 2005 Bob Ippolito. All rights Reserved.....***/..if(typeof (dojo)!="undefined"){dojo.provide("MochiKit.Base")}if(typeof (MochiKit)=="undefined"){MochiKit={}}if(typeof (MochiKit.Base)=="undefined"){MochiKit.Base={}}MochiKit.Base.VERSION="1.4";MochiKit.Base.NAME="MochiKit.Base";MochiKit.Base.update=function(B,D){if(B===null){B={}}for(var C=1;C<arguments.length;C++){var E=arguments[C];if(typeof (E)!="undefined"&&E!==null){for(var A in E){B[A]=E[A]}}}return B};MochiKit.Base.update(MochiKit.Base,{__repr__:function(){return"["+this.NAME+" "+this.VERSION+"]"},toString:function(){return this.__repr__()},camelize:function(B){var A=B.split("-");var D=A[0];for(var C=1;C<A.length;C++){D+=A[C].charAt(0).toUpperCase()+A[C].substring(1)}return D},counter:function(A){if(arguments.length===0){A=1}return function(){return A++}},clone:function(B){var A=arguments.callee;if(arguments.length==1){A.pro

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (352), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17164
                    Entropy (8bit):5.446045250705496
                    Encrypted:false
                    SSDEEP:384:XcKoA1ikH3+PGFIsdzZ+hbpkHVH7p1cM5AvWQ0NcCZPDAd9:XR1RX+PFsd1+hbmHd7zAvWfNcCZkd9
                    MD5:C7F4D0D2B569BF8726166874280153D5
                    SHA1:4802A7857F24C59BB4606C5901692B29E8CBF392
                    SHA-256:BC3131FA4F8E6848197DEEBFCD5CC8533C593413586CC6BF4008D10B21A163B0
                    SHA-512:07DFF3BAC28A628554C4FE0A1621780DDD4C59F2FBDAE2500421026D9108BFDDD1F260F2E15F95527FF5E9478AF14EED77A29ADE5100CF17EE6530A67E9EDB6D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hlavn\u00ED sestava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "P\u0159echod na prvn\u00ED str\u00E1nku";..var L_bobj_crv_PrevPage = "P\u0159echod na p\u0159edchoz\u00ED str\u00E1nku";..var L_bobj_crv_NextPage = "P\u0159echod na dal\u0161\u00ED str\u00E1nku";..var L_bobj_crv_LastPage = "P\u0159echod na posledn\u00ED str\u00E1nku";..var L_bobj_crv_ParamPanel = "Panel parametr\u016F";..var L_bobj_crv_Parameters = "Parametry";..var L_bobj_crv_GroupTree = "Strom skupiny";..var L_bobj_crv_DrillUp = "Zav\u0159\u00EDt podrobn\u00E9 zobrazen\u00ED";..var L_bobj_crv_Refresh = "Obnovit sestavu";..var L_bobj_crv_Zoom = "P\u0159ibl\u00ED\u017Eit/odd\u00E1lit";..var L_bobj_crv_PageNav = "Navigace str\u00E1nky";..var L_bobj_crv_SelectPage = "P\u0159ej\u00EDt na str\u00E1nku";..var L_bobj_crv_SearchText = "Vyhledat text";..var L_bobj_crv_Export = "Exportovat tuto sestavu";..var L_bobj_crv_Pr

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15160
                    Entropy (8bit):5.264435095214407
                    Encrypted:false
                    SSDEEP:384:+7mRHzr647DljsyjAed1i1OBzMaazXh4dYTuXJIP30kgP1Ad1WNfhb9:w+XZ9zMa9dYTuXJiGN5b9
                    MD5:DE5AFCE9F4A3D3E213E27356087D4945
                    SHA1:5699B1A61BFE2B35CB96C0FB6BBB79A2505CE82D
                    SHA-256:734915190969787DE4C227260AC3E31D66B9B56CEAD4469D093CC7D673F9F71D
                    SHA-512:D3A7B6EC44C6E028F7D97DF01E718935671FBB28009898A9712AD0E3A09713F31D0C7343C26430F0125A811E981AA6D01827C21CF304B4577EB5E72AEE79A03A
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til n\u00E6ste side";..var L_bobj_crv_LastPage = "G\u00E5 til sidste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Gruppetr\u00E6";..var L_bobj_crv_DrillUp = "Analyser stigende";..var L_bobj_crv_Refresh = "Opdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigation";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8g efter tekst";..var L_bobj_crv_Export = "Eksporter denne rapport";..var L_bobj_crv_Print = "Udskriv denne rapport";..var L_bobj_crv_TabList = "Faneliste";..var L_bobj_crv_Close = "Luk";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (334), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15935
                    Entropy (8bit):5.2459163383439735
                    Encrypted:false
                    SSDEEP:384:Vsv/6+gyy5dw5RmVjV0Pg7VbQRM+G7FkTPQtP3LhY+uJFSKIT+:g65fIm0Pg7L+G7FkTIldYdTIT+
                    MD5:73D46BFE5A62334C9A003D4A1F330F90
                    SHA1:284704A7D45E94FCF8515E48BCACC0C02F11D677
                    SHA-256:0848B042801E0589DFCBE2E2E9FD83F05807A967EA1C030475012BF6E72366C2
                    SHA-512:CEFDF276C0DD372A797052BCF3DD514A948A1669FE2ADD3245DFC4A59571677BC66F35D028A94BDD03CFEEEE7B9CB4C2500368CCADB1EBC6D18F8CA9F2C1D81F
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hauptbericht";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Zur ersten Seite";..var L_bobj_crv_PrevPage = "Zur vorherigen Seite";..var L_bobj_crv_NextPage = "Zur n\u00E4chsten Seite";..var L_bobj_crv_LastPage = "Zur letzten Seite";..var L_bobj_crv_ParamPanel = "Parameterbereich";..var L_bobj_crv_Parameters = "Parameter";..var L_bobj_crv_GroupTree = "Gruppenstruktur";..var L_bobj_crv_DrillUp = "Drillup";..var L_bobj_crv_Refresh = "Bericht regenerieren";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Seitennavigation";..var L_bobj_crv_SelectPage = "Gehe zu Seite";..var L_bobj_crv_SearchText = "Nach Text suchen";..var L_bobj_crv_Export = "Diesen Bericht exportieren";..var L_bobj_crv_Print = "Diesen Bericht drucken";..var L_bobj_crv_TabList = "Tabulatorliste";..var L_bobj_crv_Close = "Schlie\u00DFen";..var L_bobj_crv_Logo= "Business Objects-Logo";..var L_bobj_crv_FileMenu

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (351), with CRLF line terminators
                    Category:dropped
                    Size (bytes):16422
                    Entropy (8bit):5.221900380967974
                    Encrypted:false
                    SSDEEP:384:h2exe25G4e9lI1YwwBVaDBVIbVK4xP067okinDACBi4lmDBVcwBVSDsp:hPe2ke1YFjaDjIbVLlW8CBifDjBjesp
                    MD5:6D6E601C63FE0FC240A42500338A38E2
                    SHA1:C98513A9DD95897789212CD09810B7E60E55A7D4
                    SHA-256:FC5834E222CFE6E5BFD0EAAA5D411D3B5C4B1A43C7FF1453A3D4AB75F6F5F01F
                    SHA-512:EEDE4E4602FE85BA11332F6F08229AF7A17A347B185AD7C0B68E4A398B82F960285573713E0258DA5858DA228312265C686476F90A3C17F4D2C380914AD82EDC
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Rapport principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Aller \u00E0 la premi\u00E8re page";..var L_bobj_crv_PrevPage = "Aller \u00E0 la page pr\u00E9c\u00E9dente";..var L_bobj_crv_NextPage = "Aller \u00E0 la page suivante";..var L_bobj_crv_LastPage = "Aller \u00E0 la derni\u00E8re page";..var L_bobj_crv_ParamPanel = "Panneau des param\u00E8tres";..var L_bobj_crv_Parameters = "Param\u00E8tres";..var L_bobj_crv_GroupTree = "Arborescence des groupes";..var L_bobj_crv_DrillUp = "Explorer en arri\u00E8re";..var L_bobj_crv_Refresh = "Actualiser le rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigation dans les pages";..var L_bobj_crv_SelectPage = "Aller \u00E0 la page";..var L_bobj_crv_SearchText = "Rechercher le texte";..var L_bobj_crv_Export = "Exporter le rapport";..var L_bobj_crv_Print = "Imprimer le rapport";..var L_bobj_crv_TabList = "Liste des o

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_it.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (338), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15432
                    Entropy (8bit):5.129123489897717
                    Encrypted:false
                    SSDEEP:384:71bOrmX1wDXUO5obURAouieR10CHPc6jPqngz7Ma0/B:7ormlO6b8DuieR10CHPc6jPqn07l0/B
                    MD5:F49E688F574252DD7B6F517CA64D299D
                    SHA1:81D71CBA1387121981C69171C8A77EFDBD89CC1C
                    SHA-256:B9C867599A94388B41AA3B1C4BD069ADAA12D8E2FC2A186BD863010DB9632CBD
                    SHA-512:0FBCEF9818A17C26017026DCAEE3FAFD2F9C1540A8BD99FEF914B49EE6D3FA1B6B3CECA3A478AF0A62209E4A1C0F5B8D1B5EF5BF2D8CA058F3593E23AECA2FC3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Report principale";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Vai alla prima pagina";..var L_bobj_crv_PrevPage = "Vai alla pagina precedente";..var L_bobj_crv_NextPage = "Vai alla pagina successiva";..var L_bobj_crv_LastPage = "Vai all\'ultima pagina";..var L_bobj_crv_ParamPanel = "Pannello parametri";..var L_bobj_crv_Parameters = "Parametri";..var L_bobj_crv_GroupTree = "Albero dei gruppi";..var L_bobj_crv_DrillUp = "Drill Up";..var L_bobj_crv_Refresh = "Aggiorna report";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigazione pagine";..var L_bobj_crv_SelectPage = "Vai alla pagina";..var L_bobj_crv_SearchText = "Cerca testo";..var L_bobj_crv_Export = "Esporta questo report";..var L_bobj_crv_Print = "Stampa questo report";..var L_bobj_crv_TabList = "Elenco tabulazioni";..var L_bobj_crv_Close = "Chiudi";..var L_bobj_crv_Logo= "Logo Business Objects";..var L_bobj_

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (373), with CRLF line terminators
                    Category:dropped
                    Size (bytes):16095
                    Entropy (8bit):5.224090088223997
                    Encrypted:false
                    SSDEEP:384:wQnkDBzN+dt6UMgcE/sMU5YuEE3NFK/sek3O7j0JWSnWvF:/ng9At6Q/PU5vEE3NFK/sek3Ov0WvF
                    MD5:60546DF31FB80C3ECEE36F588C67DFE5
                    SHA1:9A3C0D45881D4180C13A786F87BA9DFBFD4E66F6
                    SHA-256:9DB255C3C311926668F645AFBC2E4953D2CBD9C02AF2333861F09F6C95BB2125
                    SHA-512:0C7BE82FD4590C896331C1F8A9A8AC488F719FEF463B6143BF48FB073EF2256C79CB4E8526E19DA80BC6E555A1EC0D807053C5F06B70740854BC23A14898AE9D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Relat\u00F3rio Principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ir para a Primeira P\u00E1gina";..var L_bobj_crv_PrevPage = "Ir para a P\u00E1gina Anterior";..var L_bobj_crv_NextPage = "Ir para a Pr\u00F3xima P\u00E1gina";..var L_bobj_crv_LastPage = "Ir para a \u00DAltima P\u00E1gina";..var L_bobj_crv_ParamPanel = "Painel de par\u00E2metros";..var L_bobj_crv_Parameters = "Par\u00E2metros";..var L_bobj_crv_GroupTree = "\u00C1rvore de Grupos";..var L_bobj_crv_DrillUp = "Pesquisar";..var L_bobj_crv_Refresh = "Atualizar Relat\u00F3rio";..var L_bobj_crv_Zoom = "Aplicar Zoom";..var L_bobj_crv_PageNav = "Navega\u00E7\u00E3o da p\u00E1gina";..var L_bobj_crv_SelectPage = "Ir para a P\u00E1gina";..var L_bobj_crv_SearchText = "Procurar texto";..var L_bobj_crv_Export = "Exportar este relat\u00F3rio";..var L_bobj_crv_Print = "Imprimir este relat\u00F3rio";..var L_bobj_crv_TabList = "L

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_tr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (421), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17129
                    Entropy (8bit):5.406588888186009
                    Encrypted:false
                    SSDEEP:384:aLYyOh494WOhQN6XCmszscQFYRCFRsRaD+NsAsh3naTqC:+O+rKojQFtFRsRaD++KTqC
                    MD5:234DBBA198A0155DE4C743FA341DE4A6
                    SHA1:4F8AE47388625274DE976EF556595CEB99E290A1
                    SHA-256:A02F8C870E685D02776A9C56669933C75D3E9ACC452C91E3E02A27579E8292A0
                    SHA-512:47D36B60564D88B6A990E73259EE0FB9731F3EF2578306C3318BFDF817C7456F65ED154190ED608B2272235B2E978DC37D0E94A64B8C05AD74D67CE534EC4FB1
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Ana Rapor";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0130lk Sayfaya Git";..var L_bobj_crv_PrevPage = "\u00D6nceki Sayfaya Git";..var L_bobj_crv_NextPage = "Sonraki Sayfaya Git";..var L_bobj_crv_LastPage = "Son Sayfaya Git";..var L_bobj_crv_ParamPanel = "Parametre Paneli";..var L_bobj_crv_Parameters = "Parametreler";..var L_bobj_crv_GroupTree = "Grup A\u011Fac\u0131";..var L_bobj_crv_DrillUp = "Ayr\u0131nt\u0131 Seviyesini Azalt";..var L_bobj_crv_Refresh = "Raporu Yenile";..var L_bobj_crv_Zoom = "Yak\u0131nla\u015Ft\u0131r";..var L_bobj_crv_PageNav = "Sayfada Gezinme";..var L_bobj_crv_SelectPage = "Sayfaya Git";..var L_bobj_crv_SearchText = "Metni ara";..var L_bobj_crv_Export = "Bu raporu d\u0131\u015Fa aktar";..var L_bobj_crv_Print = "Bu raporu yazd\u0131r";..var L_bobj_crv_TabList = "Sekme listesi";..var L_bobj_crv_Close = "Kapat";..var L_bobj_crv_Logo= "Business Objects

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\allStrings_zh_TW.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (485), with CRLF line terminators
                    Category:dropped
                    Size (bytes):18011
                    Entropy (8bit):5.771964390322856
                    Encrypted:false
                    SSDEEP:192:EfI714upndNKE56/0KdJwX2cmP/No/B56abeaeFY3uA+yD9eMQggTQxFV0NdPWVD:EgWKTKEUPDcKq/B56aSaeFqe9T0FV1VD
                    MD5:FADDF4F853184DFF4EFF4527A594B126
                    SHA1:CE010124FFA5196205EF0935ECFA620F405612BF
                    SHA-256:2B52B482A75BEE536EA9E8B691487FD19B0EC1A98FF8F405F8D9BC110AE4A03C
                    SHA-512:30F17BE2186B8C3A71F6E990607E8F2920571E3FC7E25951E8C9572659142A9FC8EFB221DF875DCD4860188257B6D44EE6EF8A3261D4DA400A65895C8C5DC3D1
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u4E3B\u5831\u8868";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u79FB\u81F3\u7B2C\u4E00\u9801";..var L_bobj_crv_PrevPage = "\u79FB\u81F3\u4E0A\u4E00\u9801";..var L_bobj_crv_NextPage = "\u79FB\u81F3\u4E0B\u4E00\u9801";..var L_bobj_crv_LastPage = "\u79FB\u81F3\u6700\u5F8C\u4E00\u9801";..var L_bobj_crv_ParamPanel = "\u53C3\u6578\u9762\u677F";..var L_bobj_crv_Parameters = "\u53C3\u6578";..var L_bobj_crv_GroupTree = "\u7FA4\u7D44\u6A39\u72C0\u7D50\u69CB";..var L_bobj_crv_DrillUp = "\u5F80\u4E0A\u947D\u53D6";..var L_bobj_crv_Refresh = "\u91CD\u65B0\u6574\u7406\u5831\u8868";..var L_bobj_crv_Zoom = "\u7E2E\u653E";..var L_bobj_crv_PageNav = "\u9801\u9762\u5C0E\u89BD";..var L_bobj_crv_SelectPage = "\u79FB\u81F3\u9801\u9762";..var L_bobj_crv_SearchText = "\u641C\u5C0B\u6587\u5B57";..var L_bobj_crv_Export = "\u532F\u51FA\u9019\u4EFD\u5831\u8868";..var L_bobj_crv_Print = "\u5217\u5370\u901

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\css\cedefault.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1697
                    Entropy (8bit):5.019708253696153
                    Encrypted:false
                    SSDEEP:48:aJZpcCntRqMOlWXHkTiMoOJSO80OsTOgwrOjpJZc:aJ3cSToWUPofErWruJm
                    MD5:954B7D315090ECACE12762D2698004BC
                    SHA1:B8C9C9DC26D30F0F3DF671C3B0DAD01DDADDD681
                    SHA-256:62646FB7D08D09A9428AB8269EBAD950A8434F765B5F016786DACCEB22CA008F
                    SHA-512:C91F9E5685826A85D4BE3FFFB6D88B1E276DA4F1EA3AD4C35F1734C8C4A1BDF8504F72054DDA90D3BB4D06CFD69DACA2ED0EA217FA6841BA4F3FEEEA9B480443
                    Malicious:false
                    Reputation:low
                    Preview: DEFAULT STYLE SETTINGS -->....BODY { ...font-family: Verdana, Arial, Helvetica, sans-serif;.. .font-size: 8pt; ..}.....table { ...font-size: 8pt;...font-family: Verdana,Arial, Helvetica, sans-serif..}....A:link { ...color: blue; ...font-family: Verdana,Arial, Helvetica, sans-serif; .....}....A:visited { ...color: blue; ....}....A:hover {color: red;}.....header { ...background: black;...color: white; ...font-size: 8pt; ...font-family: Verdana,Arial, Helvetica, sans-serif;..}..A.header:link { color: white; text-decoration:none; }..A.header:visited { color: white; text-decoration:none; }..A.largeheader:link { ...color: white;...font-size: 12pt;...text-decoration:none;..}..A.largeheader:visited {...color: white;...font-size:12pt;...text-decoration:none;..}..A.header:hover { color: red; text-decoration:none; }.....actions { ...background:#ffcc11;.../*background:gold;*/...color: black; ...font-size: 8pt; ...font-family: Verdana,Arial, Helvetica, sans-serif;..}.....radio { .../*backgroun

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\css\default.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):10047
                    Entropy (8bit):4.883569534921437
                    Encrypted:false
                    SSDEEP:192:1PZTsWu5yi/A41bxxEC/ht2pda+uK/jbz/e0YO0EQC5Yt/W:ng92VR
                    MD5:5D470E10754198A352F308E3F9C31872
                    SHA1:74173EDD39382A79D752071ABBD1AB646E329EDF
                    SHA-256:E11CED39EE65FF8B9E5B4130829AA0C32CF0B5C846DB9E90F226ABF8293CCFEA
                    SHA-512:9FC68D0ADC68320252C5F6D4F7EBA809F932EF4023F4EAA99493F48731FDC5C79C42FE399BACACC32A90D608A5188758FC6C3FC826E1EDABE4EDB4FA7AEAE9B6
                    Malicious:false
                    Reputation:low
                    Preview:.crpage..{.. background-color:#FFFFFF;.. color:#000000;.. font-family:verdana,Arial;..}.....crheader..{.. background-color: #E4E4EC;.. color: #000000;.. font-family:verdana,Arial;.. border-bottom:1px solid #BEBED1;..}.....crheader A..{.. color:#000000;.. cursor:hand;.. text-decoration:none;..}.....crheader A:hover..{.. color:#FF0000;.. cursor:hand;.. text-decoration:none;..}.....crtitle..{.. color:#52526F;.. font-size:11pt;.. font-family:Arial;..}.....crpagepath..{.. background-color:#006699;.. color:#ffffff;.. padding-left:10;..}.....crpagepath A..{.. color:#FFFFFF;.. cursor:hand;.. text-decoration:none;..}.....crpagepath A:hover..{.. color:#FF0000;.. cursor:hand;.. text-decoration:none;..}.....crwizard..{.. background-color:#CAC9D9;.. color:#000000;.. font-family:verdana,Arial;.. border-top:1px solid #FFFFFF;..}.....crwizardtitle..{.. color:#52526F;.. font-size:11pt;.. font-family:Arial;..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\css\exception.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):409
                    Entropy (8bit):4.740516428146508
                    Encrypted:false
                    SSDEEP:12:9Gm8NqQGm8Q939ZsUCh/NGm8v/KH1tL03St:iJsUIlHDLZt
                    MD5:B73DF589DBF75AABE753C74A8595575F
                    SHA1:A04C95BEC85F4785CFCFC9327BB39524E4CF845A
                    SHA-256:3EAEABBEEE73250D571BE4710DFACA7F7CC0E8ECDDAB5473E017CB993A8610AF
                    SHA-512:61C494CB35F0B2FAEB9220AD7EC9AA5F39BBB78CB97346D62D48FFAC222C47443AB2549D162B5F56922335C91E1D06D64125E4218F8DA3D3341207B0F1F214D0
                    Malicious:false
                    Reputation:low
                    Preview:.crExceptionBorder ..{.. background-color: #A3A3BC; ..}.....crExceptionHeader ..{.. background-color: #E4E4EC;.. color: black.. font-family: Arial;.. font-weight: bold;.. font-size: 11pt;..}.....crExceptionElement ..{.. background-color: #E4E4EC;.. border-top:1px solid #FFFFFF;..}.....crExceptionText ..{.. color: black;.. font-family: Arial;.. font-size: 11pt;..}..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\css\prompting.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1849
                    Entropy (8bit):4.6942538950248105
                    Encrypted:false
                    SSDEEP:24:O2vRrOPRfLR4LgHjV/RsvtDnYiDnYp76w/B25z76w/B25w:lAPRccM9YeY//B23/B26
                    MD5:472178DFBF107F3E1F568A24B93DB5C6
                    SHA1:6A267200D03F675F6585A0AF40A79520E699C255
                    SHA-256:4292BCC469D3B1DF56F5BD278B73F05E284660731E37F7CDA12335AA5F96DE16
                    SHA-512:663ADFC7192CFDA58BE4245847A6888D79E1B3D70D35F7CC0D1794C753C23367088EAE0F8E5558CE339F024768888AC50DD3438C55B3BDF3BD53CEBA8870B621
                    Malicious:false
                    Reputation:low
                    Preview:.promptBorder..{.. background-color: #96A8C3;..}.....promptHeader..{.. padding : 2px 5px;.. color: white;.. font-family: Tahoma, sans-serif;.. font-size: 8.5pt;.. font-weight : bold;..}.....promptElement..{.. background-color: #E5EAF3;.. border-top:1px solid #FFFFFF;..}.....promptElementText..{.. color: black;.. font-family: Arial;.. font-size: 11pt;..}.....promptingText..{.. color: black;.. font-family: Tahoma, sans-serif;.. font-size: 8.5pt;..}.....promptRuler..{.. color: #A3A3BC;.. height: 1px;..}.....promptMessage..{.. color: #4F5C72;.. font-family: Tahoma, sans-serif;.. font-weight: bold;.. font-size: 8.5pt;..}.....promptTextBox..{.. font-family: "arial" , "sans-serif";.. font-size: 11px;.. background-color: white;.. border: 1px solid #96A8C3;.. background-repeat: repeat-x;.. padding-left: 5px;.. padding-right: 2px;.. height : 20px;..}.....promptButton..{..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\html\calendar.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):610
                    Entropy (8bit):5.331062873850001
                    Encrypted:false
                    SSDEEP:12:J37P4fhmDm09bCQmZQXlc2UE8h2ufXorrXNmteOub7Ll:J37ApWm0bCQTl1PYfXeXNmtejb7Ll
                    MD5:890E07A6CC5D9A7A446EA19758C3A74D
                    SHA1:32E934FA8CF208AF2A5D018EF6BF28DA2784B7AF
                    SHA-256:DEE456A8CFF5BECFE2F3943198FC513A78A663803E1B26A15C645F9B3D478B58
                    SHA-512:23037A2D570BB93CB0B3C892F238220810CF7945B0542323C5E667738538887709E0E5A72CCF7B7C9DCCE9C410B172B25D94CA71BE436FD932D7F405F286E230
                    Malicious:false
                    Reputation:low
                    Preview:<HTML>..<HEAD>..<META http-equiv=content-type content="text/html; charset=utf-8">.. <TITLE>Crystal Reports</TITLE>..</HEAD>....<SCRIPT language="JavaScript">.... //newWin = window;.. // USE THE JAVASCRIPT-GENERATED DOCUMENTS (calDocTop, calDocBottom) IN THE FRAMESET.. calDocFrameset =.. "<FRAMESET ROWS='70,*' FRAMEBORDER='0'>\n" +.. " <FRAME NAME='topCalFrame' SRC='calendartop.html' SCROLLING='no'>\n" +.. " <FRAME NAME='bottomCalFrame' SRC='calendarbottom.html' SCROLLING='no'>\n" +.. "</FRAMESET>\n";.... document.write(calDocFrameset);....</SCRIPT>....</HTML>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\html\calendarbottom.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):226
                    Entropy (8bit):4.880385389487721
                    Encrypted:false
                    SSDEEP:6:qqIX7PwWR0NNEXW0YBM05T0bpnOsm/BA5SRFjM00Gu:oX7P4fhtTID4BzMXGu
                    MD5:63A9A39ADCB298A433DCDB2289A1F832
                    SHA1:46A8874157375ED7CD8E58CC2B424CABC5BBAC56
                    SHA-256:A67FF9A4783D72590D12D3531A340F844D57BE6D0A7EA1CD4FE2D7AC4CBC5435
                    SHA-512:FCF5F1A5098ACAB9EE414236E7E68A1874A797717C5B26E5CFE6D60DD56145EC133F3863E3D2D9D8F6B73A1DACCD835C48D1DEA7CE36EE632CCC1CAC6169BF3F
                    Malicious:false
                    Reputation:low
                    Preview:<html>...<head>....<meta http-equiv=content-type content="text/html; charset=utf-8">...</head>...<body>....<script language="javascript">.....document.write(parent.parent.opener.calDocBottom);....</script>...</body>..</html>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\html\calendartop.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):223
                    Entropy (8bit):4.892551879541693
                    Encrypted:false
                    SSDEEP:6:qqIX7PwWR0NNEXW0YBM05T0bpnOsm/BA5SJrM00Gu:oX7P4fhtTID4BBMXGu
                    MD5:BDCEEF55FE02E224E033C35A62BACB9B
                    SHA1:6F797C795D1328D579AC6750012DA1DACF41B4FD
                    SHA-256:564D1C90C3D7480C3909B9EFD44A0695C15FCC979D9FCCC38B8BDAF4EDC8E192
                    SHA-512:024474E1A52B8EA5C074E3DC43984177953DEC88A49FF8C75006CCF653911DA671E9D86C388AED61AA00D9D3A61220BEF41CEFCB33A43E42953B46482BA76BC3
                    Malicious:false
                    Reputation:low
                    Preview:<html>...<head>....<meta http-equiv=content-type content="text/html; charset=utf-8">...</head>...<body>....<script language="javascript">.....document.write(parent.parent.opener.calDocTop);....</script>...</body>..</html>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\buttonl.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 10 x 20
                    Category:dropped
                    Size (bytes):351
                    Entropy (8bit):6.040246259056776
                    Encrypted:false
                    SSDEEP:6:zilGFv7DXpRpx6FbYE+QW4pnI7IOrl4+uw+Wd3EPRJOlpp5/4o+ILT:LztRbSbmQW4pnI7DrjGWdwRAlpH/4o+s
                    MD5:21694B48F17B53CC0F13F18742B7D051
                    SHA1:F0F6DAF19E117B7A03948AEB52CD03FBD0124DF6
                    SHA-256:75CAE9347BD7601580FBD40E8D6C26F827CE83A358F1EB8E872F5E7687FDF6C1
                    SHA-512:D68D67D2659B7AEF66A05E891E3E0BCEF631138A40F4F1DA9DBA611CF991C59175189189D25F31249518A9274D61C5CCC8E548604AD52ED5C82B9AA717DEAC35
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................................................................................................................!.......,..........|..`H,f..$...8.Nf*..`XUf..D.]..s8....%.X.-.B..+.....g2N.....L+...$ .L.&.....L(......L....#..L...".L....L......L......PPBEEA.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\buttonm.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 2 x 20
                    Category:dropped
                    Size (bytes):168
                    Entropy (8bit):5.523473544898481
                    Encrypted:false
                    SSDEEP:3:CubcFpwpsOYn7EOGcDDmtKjfefx1SAxlRl5V8o7ViVn7/2NlEn:IFpcsZn7Sy0KCp1SABiVn7Fn
                    MD5:36116A091C21F3052483F71D0DA189A5
                    SHA1:8FB3F88FE25F49CB1851B72F039D39D28FEDBF7A
                    SHA-256:4F6F9A6AA63D857142FC915B3F6046E156B714EC529FDFC3802FAC4FD9879A0C
                    SHA-512:2ADE78B7889BD8E732FB85B798807B84976679A1C69A5F50EEFD3BD26E24D4A903A99243335516985012E5FC76BA2A88E0E85E15B1FDBA1185B9D8E9EBC8023E
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................,..........-...X......(T.0AB....8`.@A.....0`.@............;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\buttonr.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 10 x 20
                    Category:dropped
                    Size (bytes):350
                    Entropy (8bit):6.0431744464702275
                    Encrypted:false
                    SSDEEP:6:zilGFv7DXpRpx6FbYE+QW4pnI7IOrlHwb0YkRbjt0v+fMdE:LztRbSbmQW4pnI7Drsmbjt0v+fl
                    MD5:A27CBCBD114CE2D39377E1A0F446E164
                    SHA1:01C65B741ABF575B7C42A726B0465B8D8BC03D97
                    SHA-256:FB739EACFCA239FAD717E5C0B704053DDABEF23FAA7B13E4EE1AF09B34824A3E
                    SHA-512:BB6814C72865AD25D51D670BEE71C5FF9605300AD23831921855A1C61A1B1A7D82DEC98BEFF37CFDAC305DBFA63F1B70953DC5EFF8C0DC5DB8B3542DD5648701
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................................................................................................................!.......,..........{@.p8....c. h:..@...LC.h..lK..a..{.QKb.NX...b..D7.D...2....'.Q.. $..+Q.....&.Q......(Q..#...Q.."..Q....Q......Q....QOOKD..A.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):977
                    Entropy (8bit):5.504532482823105
                    Encrypted:false
                    SSDEEP:12:K0mg9UWgTDVnTAcmF+E9NX6GgQ3LbawQ3JUAjckv32g8ba5tx+hAswgqGn:K0mg9UXNccmF+eXLHbZIrjFdKc/xgqQ
                    MD5:CB5C14853045928E5F272A325A3486FF
                    SHA1:62FC9BD86375A0B16F1B58433AD89BB89D23AA97
                    SHA-256:0E46CD9BB44AB78982FB3C7F87818619AA531EB4F8BE605CEE42396B9FE5C33C
                    SHA-512:BECCD22864F168A28663CA42A0EF79086D84AEC8B6BC98483C85AF853483FDA9C6A2161D1F77F80797E17925F9F59B4477598E0C8619805EBE360977B8239634
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..............................$.#+.!F(>[.<e.;p!=c.@q.@r.As.At.Bt%Ae.C`*Eg/Gg4Lk:Qm G{:Rr1PyAUoAUp[hyjkmrqqrrsstuttutuuuuvvvvwvvwwwzyy?n.9l.D`.Fo.Gs.Lt.Ht.Tz.Gv.Dt.Du.Eu.Ny.O{.Gx.Lz.O~.I|.K..[..X..[..`..b..g..n..l..`..p..s..v..w..V..V..^..j..r..w..w..s..v..y..q..}.....x..n..z..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,................"..'D..!.. ....J..1b.L....D0j.HiR.....V0...K.$F.....E.....|s..........C..T.b..S.9jD8Z...'V...@a...9[.y.$J..?l......9e.\......<$..xh....0\.PaB..........<.#.c.......;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1159
                    Entropy (8bit):7.538315742965536
                    Encrypted:false
                    SSDEEP:24:aX9xWVJFhtPT9SJncLCss3q4GXxOR30kySfAXOVahe3w:A9eJ1PQcWh3q4H3KYAMah1
                    MD5:5B6B13CAE1350D37833ACA22AA1923C7
                    SHA1:3A4A65CD27ECE855C3BB14DFBF278736471BE3B4
                    SHA-256:9281477C05F204653B61070150F78AD729886F64B64FEB859E890F8D1AE5519A
                    SHA-512:B3D069A67A2A1D6F0C8747A474A1F56EF6AAF5D144D37E3C79194FDAB430DC5944EF13EA433F8302FBF681B84D56C20AE089FD1D047D448F0CB8010433269A03
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a...................................................#..7..6..7. 8.!9.#:.%;.'<.(=.*=.,> .?135444:;>;<>;=>;=?<=?=>?.*R.,U./X"/@#0A$0@'3B)4B+7F>?@??@(?^9H[+Ba-C`/D`6Ib@@AAAABBBCCBABDGGFUX]afmtss}}|;a.Ji.@n.@n.@n.Ao.Ao.Hq.Ep.Ap.Fs.Kt.Qx.V|.Ar.Fs.Gs.Gt.Ar.As.Cs.Bs.Dt.Hu.Lw.Lx.My.Oz.O|.Ex.Ky.Hy.Kz.O~.P{.Q~.U~.Q~.I}.V..[..Z..T..[..X..[..^..^..`..e..k..`..d..e..c..j..j..r..q..q..S..U..V..X.._..^..a..d..f..e..h..l..n..j..k..i..o..q..r..v..v..q..w..t..{..{..x..x..z..|..}.....~..p..v..w..u..~.....}..}..|.........................................................................................................................................................................................................................................................!.......,.............{..C..._.. .C..7.H..b...q.v..6j.E...j;.Y.h..1b.>qz.H. 6h.p....w.Y~.iR.<u..9#&..'A..`.T.;S.~..5)..Ct.......T)..:N..<p.1.DI."F.N....8_.^.h.`......`..*..>..@.2..^.4.z..L.D..`.4..z.n....I.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):849
                    Entropy (8bit):7.502682000202864
                    Encrypted:false
                    SSDEEP:24:vREifgfAKggZ43wqxVdoKK28Eoj3S0hXIiNF:5EQg2wwNC3tF
                    MD5:7F3F935C833EB489701C047F4AD8CBA8
                    SHA1:E77407609D39F46C4F5504C54F838C6036AE5A29
                    SHA-256:619D9C2C254C2EE43E1A73A5528D37873D2C8BA626AC1CF4749284EB43A8FA05
                    SHA-512:230098712B47573522014C6361DE3C7BAC14D4A0F8B458F73C9426852FACA1BE9CFC7090C6BEF2F941AC11F6281AC4B03C6D9AA10C4AC6A93B190CBABAA4EF01
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a .............................!..!..1..5.%. &."(/&+1*.3-0423689:-9J0D^,Dc?SmFEDAUo__`GYrBZycjtrrs+^.2d.=m.^v.Uu.Eo.@o.Cq.It.Tz.Es.Jv.Nz.L{.R}.W..[..W..[..d..g..l..c..j..n..s..T..^..e..i..`..m..s..v..{..u.....s..|.....................................................................................................................................................................!.......,.... .......n.nU.....................m....JFG..HI.I.F.IKF.l...Ungjjhggfba.``_._^]].\...i67.4410-*,)& ......V...ck@WBB@>>=5.0/,.)(( .X.n..X@@~.{G#^5.)Rh....~.....h..@x..8~d...r....1\.<q...%:..8k..-!...9@.O.=.. !..e!oX.....P.TX.p...@....4.......)dD Y.F...DG......q..."...@.P..N...x#..N).P..(..u'..1D...<6.%.w...+..q......9......60fL...Q~U.~.;...U.....M!Z+Z.Q.Z5.9.......... @ ;w........*S.K..>J.(.4...}'e>....?YAl.'. ........;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):995
                    Entropy (8bit):7.628599949190669
                    Encrypted:false
                    SSDEEP:24:VSTKysvR0vGi4KnnrFnxCAWU+JQGHnleg40704xjj:VS2HJ0vfFxCTJReg4070e
                    MD5:789BC85D6079BC4D60C6B7D3E75CFE52
                    SHA1:37740A121D99F6E169C0C228731BB52C48302836
                    SHA-256:413361CF9F3BFD76E590CEF1A376928692703A0F93F75800848D02029FF062DF
                    SHA-512:2C836BD7A1D4A6EB32C956C72BB5420D7833E532AE35CE6B47BC0ED430C7FADF776825F977ABF590C553A1BD3CA00527DFA35BC34AF7F5A521F39F6AD5C5F35E
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(.......................... ..". -.!2.*8+)'(1<554875778<;:5=G7?H8?H=CJ/BY.Ec-Fh2Q|BGMDINJMQOQSRSTbbbjjjwwwxxx1W./\.3_.5a.=f.<g.=m.;n.?p.Cj.Ro.[w._z.b{.Cm.Io.Ip.Dq.Jt.Qu.Tx.Tz.Z}.Cr.Hu.Nz.Bt.K{.R}.Q..e..W..\..W..Z..^..i..c..j..r..v..{.....d..l..c..i..r..l..z..s..V.._..f..i..m..d..s..u..}..v..|..}..}..................................................................................!.......,....(.......z..x....................cy...d.................zb!....w... zsmnmll]]\[TRP.OODBD>.:=+._...zo]l\]TT.PPEDECAA:;:3.()#.Y..olm`..[.P....;.<H..bo..6]..9.E..fO...A0.....4...".-..1.8dH.v9f TX......b,K...@.aPfB."m:d.fJ8'P.4.B...4.......7%...0@@..f..=..@...F.....d......./...J,..-.8F..]|....$.$}E.0D.p\.X....q.......9_...L..j...5.1paP3fm0.L.sc9.Y../,.t........[...J.P..p. A.\..^j.8..Y. ..%...}...Jzy...\).E...E...\..6.I.d.../...}.........O..Ds.. ^t...Nlx..OW.X.9...C.*.p..d..hD1E.<"...G. ..Y. ..H.BP.."....E)%_.`...u.a..ftiF._.!f.L,Q..K(.f.l.A..p.).5b...x.....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):1623
                    Entropy (8bit):6.851677118770325
                    Encrypted:false
                    SSDEEP:48:ifhFLV2x107Hx/zTUQInKi8nvCAdiMPcBfxPho:ip94sz7InKTnv/RO5Pho
                    MD5:E1AF2A54B67886F13447562D396B5414
                    SHA1:F9D02823540875E3CA43EC3F6C0DE2A62A98021E
                    SHA-256:3ADC0EC869741FAE5FAFC3ACBF1B36A3BF7A339366EA8DA9D1D8D090DCCE6426
                    SHA-512:ADB41E1978333E744DE9B6CC75969C1F3EACA2B7AD6D1F295ACF96627EE62D8BF1FDB53473D81C623FFDEF0FE4E61BD83F5643B24E0DC8E1670CF78FA6EC1A88
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$..............................%..!..(.!*''(...//0/00001.7Y 5Q-@W4F];K_.Bw.Ed,Fh/Hi1Gc:Qm'K{(L}.P|4T.BA@HS`T^kW`lZcn`gpekrintmqvruxvxz{{{-R.8W.:Y.=c..a.5f.=m..e.>q.?s.@].Gc.Hd.Mg.Nh.Tl.[q.Rn.[t.av.d{.Bo.Dq.Ku.Sz.Es.Hu.Nz.Bu.K{.R}.Q~.Cz.l..q..W..[..V..Z.._..v..|.....d..e..`..b..j..l..r..x..U..Z..^..d..`..f..l..g..i..s..u..|..t..}..m..v..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....0.$.....%..(...*T.X......MH4Q."...Eh....#. ...@...(S...2d....5.I.f#G7g:...&O...0h.r..I..)].4Q.CN.I-D..UB..f5$'.!...4..H.Y/].p..V..)O..5BW.."2b..c...I.F.$V.#>|..a..M.4\...BY.[)J2.)b.H. H:...V.......cV...

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive350.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 56 x 42
                    Category:dropped
                    Size (bytes):1734
                    Entropy (8bit):7.0271989785736455
                    Encrypted:false
                    SSDEEP:24:v2JYxZzM4LJLY53ikNJ2CIxMLo7wZvk4sbf71pMXFn1S2rsWfjyM3qzEJLU:eJYtujNJ2CUMLoZj/52rxjeJ
                    MD5:F50B1F4284D85B9DB64B9E274CAA2A77
                    SHA1:666EDF752A7551D2CA097415B49A06C59EB91F58
                    SHA-256:6F3906C9A845B7BD178736BAA3D85512475D6233D5108C37C4FC8351F61870B4
                    SHA-512:D281E2775D5BC5B50E74EC07637ACA539AD46FD85B99462321F6D5000D03AC471649C3A6387C9DE5C1F4901057E6D4292EE08893DBEFA146AC7662D82D6A6111
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a8.*..............................$.. ..*$$$,,,.1W.6W.6Y(6I.<N 7V#9W.>S#:Y(=Y0?R.;b-A[6DV2E^7I_/Eb.Gh-Hl2Gc2If<La0Km/LuHHI_^]BQd^fo`m~wwx<Z.;].3d.2e.>m.0i.9o.?r.=s.A_.Fb.Kf.Sl.Wp.Xp.Lk.]t.kw.oz.s}.bw.ey.i|.@o.Eq.Ku.Ux.\|.Sz.Fs.Hu.O{.Bv.Ex.K|.S}.N..B}.z..n..n.....W..\..W..Z..i..e..`..b..j..l..s..x..V.._.._..c..j..a..f..n..j..o..s..v..|..p..t..~..t..y..{..}....................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....8.*.....5..(0.?}.(...<..H.s.N..Q2...ec..=x...Q%.(.Z2....0c...D..4I.`...@...J....n..I..Js.Y.)'..4Mb.."....5T..!Bh.......l.xYS.L..j@..c.)VM.....f..w.pY....N.HF2....._.h..F..3....wR.....+....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 47
                    Category:dropped
                    Size (bytes):1993
                    Entropy (8bit):7.202066472453615
                    Encrypted:false
                    SSDEEP:48:dU7OJxn6zFPtBLhd9rkrmHXOqMGVZaoQokHDvWih:6696zptzd9oy3tMUkHD3
                    MD5:32165C3B98C54F63216F623D1BA5671C
                    SHA1:66F0A31A468FC05EF4E2BEAEE11C75E263DB2E8C
                    SHA-256:144C4F73F453B2B4D80A162A375151ADEE374272367AF1CA92F6662FBECA950F
                    SHA-512:927B491411D1A1CD535DE2E523C9C54D504C94E518D26A6298C48AF2E056336470B3E0E8119EA9567730E47D9F73014C86114C2AC28BF13BFAE761460EFEA5CB
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@./........................... ..'..!..$..&..(..2..3. *.!+.%3.!8$&)---444.-S.1U.5U.7Z$:V#:Z*>Y.9f=AE-B]3D[7H];K_3G`4H`;Mc/Nw5Sz;W|EFGGHIHHHUUT@OaHUdHVhA].zzz>f.(_.1c.;i.2e.=m.(c..i.5l.5l.9o.;r.Ga.Ld.Tj.Mm.@h.^v.Tt.p..Dq.Ku.Gt.Iv.Nz.Bu.Dx.K{.U~.Q..M~.@|.u..x..}..U..]..W..[.._..e..`..b..j..m..q..x..x..U..^.._..c..`..l..f..i..s..u..|..q..}..s..|..w..|............................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....@./.....=..8.R.?~..Y.G..z.H.s...;.1..X..G.TBR.Br.."..q"....b.I...8.xZ.g%..R.X!..P.H..U.)...(...iS.?T.j..T.[7....%I..JZ...H. E....]I...}..._H..y....V.}..b....5..t...-Y.\.|...I..6b...4l.....K\

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortActive50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):271
                    Entropy (8bit):5.814453659497532
                    Encrypted:false
                    SSDEEP:6:UoQJUmTD6jC5UAf+L32pzez9AgKIV1JlwDyt7WmuR:UHPPf5UAf+LezseaJaW5hW
                    MD5:82FB76846108E151CAFE65C37750D87B
                    SHA1:F8A77B41EB497EF2EA7489C313522D72C12EAEF0
                    SHA-256:FCF28F44FB9825BB7018C6BD78F169FBE97DDCDD4A506954CD1288720905F210
                    SHA-512:16E5679DBB0C15A519070ADECC5D3E734D1B3701D9CF8DAB59ACA665DE3EB5A1A2AE9D93BCA0BC646E5902B2F04599A89BBFA3E926B08460192ADC30DE2A9EC6
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..............Da-Hl2T.7b.7b.;f.Oi.Ae._y.gy.Gs.Sv.c~.`..X..t..|..e..S..u.............................................................................................................................!.......,..........,.U.b.D....2.0..TG....$.F..P.$...h$.&....D. .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):971
                    Entropy (8bit):4.769037328799871
                    Encrypted:false
                    SSDEEP:12:asDiMjqU7/52N6kszjWpnDKvT4mut/mYZzRWlVqJUtzDtY0jliduB5Y:asGsqi52N6Rzj2nDETot+w2VCIhDgYi
                    MD5:C920930089A53E151CD8E2F04E55FD97
                    SHA1:833DD01792C7DBBE5DF93910071C629479B3B3E5
                    SHA-256:B53D0E2228DFC13348D12F7348DEB6949A3FE1041C66580265D36FE8A3E3ADC0
                    SHA-512:0DDB43D38736EB1534F91707335C436B496A710E1658F6607AD410BB9D35812E00A75CC1280159C94347489A8AFF0CAAF5A86163979E7EBC5BFA39DC919799FD
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.........................$ .2+.74.tU.diroovjozmp{mq{nq|or|ps}qs}rt~.m..s..x..{..~..~..y....................................&..#...............................................................................................................................................5..A..B..B..B..B..G..A..D..J..K..K..K..M..zuv...................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,..............9......:p.@...}......-Z.`.r..D7a.@I2d...2j.....9`.P........@ .....H..Q'.....(....N?}@.9z.@.$2p<..f..',>....)K.n.T...J.$C..)QT ...:t.!........'..9r.'.#'..=.#K....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1121
                    Entropy (8bit):6.503909034231734
                    Encrypted:false
                    SSDEEP:24:fWashnGXhYk3l8ofBzVFjVh1L1QdeohscS48Gd7mOGLqPAJZ04t:Ojhn3k3FZzV9VRQco3S48UGDHt
                    MD5:AFA11885E9BB69B014484BAE26F7A84A
                    SHA1:7202F278090C8CEBDE2C48DAF00520B772674736
                    SHA-256:925BF637B5711CD881258CE82D4DC46ADF692BE90E1EDF63EC66B0C56855AD71
                    SHA-512:8FE337D1C98C94B6505934CD04BE9323B29C6B724EF2218C44A58F9C8613952DA5E5DCDEF94346CD46159FD25170DD02F6DB6D20842DEEE9D88F056788C96732
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a........................................'.=445C..VB.XD.XE.XG.VM.XI.XJ.XK.XL.XM.XO.VP.XP.XQ.XR.XS.\X.vn.GG;17F28F28G39G59G6:H7;H8;I9<I:=J;>K<>K=?LBCOwqZOVarru||~.b..c..f..i..p..s..s..v..t..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,.............i......-V.Hq...%B.X.#....e0Kv.X........_.^D.x.3V.Rq...Q#:p..C.M.^.at..R.?|p.1..."\f..*...T.f&J....\h......&n.0Q.$.. >.@.Ku.UR..(P`./..=.h.+..4..2.X..@.3s..}......0....,....R6.....9.8.\W4.D.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):780
                    Entropy (8bit):6.451428601463282
                    Encrypted:false
                    SSDEEP:12:vYCSlVNxLjR0lpCUiTIqBgl8tcbJZtLd2wG8bewoC:v5YVmlpCUiTIPDJh2wGPs
                    MD5:6ADAD27F0C05841F1158C6B5CA1C5547
                    SHA1:53B385F95DFCB726F7B16B43A73C03A9B1A1066B
                    SHA-256:C1F70F77EB4326D348CF595B8312BA999A088DFC060C4861C5F39AEB4E3F587D
                    SHA-512:62AAE788864BA5A5AE0F37E4CA7962C9FB47610A3EE3869DB491BCD6485FDD5B3924745319E1A622C1D0056CF5D04BDD0F883068A071BF78B4FCD77AF2F8D7C6
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a ...........................!..!..-..&%."'*%),+../103429:8X>.YA.YP!CDF``^tsodksuus.r..u..x..z............................................................................{.z.p..t..z..p..p..p..x..............................................................................................................................................................................................!.......,.... .......Q.QM....................Q..CA.B...BCC.C@.P...KO>E....DEDD.I.Q.KF232.01.--.,,',((&..;..LG353..1...,..().<......2............1...AK...u..x.bE...U.(q.....Y...F.......`.I... p....l5h|.@..M..b..P-_..2d..A'4..1!l7L.P.1.KzPS.}A;.. ..N...a....M.....hD.;xj4D.. c...`..}{L.....B......@..........G.1.K.nS.P....z.......O.0}.u..=zAq.$...o.......8...N.....+_.(..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):880
                    Entropy (8bit):6.921424664630689
                    Encrypted:false
                    SSDEEP:12:VcQzdz7kff3UYRRLBEzZXZgHXN/l7vNwRgnibtWxdnMWLX719RdszkFtMIAoXGan:V9xSPXxBAXZgL7IgoW/LXTQudXGan
                    MD5:528EDABBA3B1843D494EE84F963E3132
                    SHA1:6758B3A959A56C6FB8D34FEA4ACD7DD35B760EF5
                    SHA-256:9F75746C4044EDEB12909453C87F6A4C8D1B513B299D9D6E1DC4C9E6974EDA16
                    SHA-512:E8A30DF781AC97F270467A45DCEC855B5312E33FB63B5DED6D9D8D5B5D9182092E91CBE4D197F53F8DF233B885E9556971372FCA8CBD70282DDEF7EE346171B3
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(.....................-..)&.8(.>6.))))1<556887;:;H;.LD.xk.6=F7?H8?H<CJBFLEINHLOLNQOQRRSTbbbjjiwwvxwvxxwyyy.u..w..y..|...............................................................................................)..*..*..9.N.Z.X.X..S..Y..M..\..l......................................................................................................................................!.......,....(.......]..[........................T\...U.................]S ....Z....]IBEED..C..<.<;.;::;-.Q..S.]G@.?@?.>..9.7.73.7*.P...A...?.....3...m.f._>s>..[..].\...../a....5....z...a.#C..q..f.G..0m.A....2b.t(.#. ?.. ..h..F..p...OZ...."...X.f-..)G.>..qaU...M3>.......T..:..)iM...e..H....'K{...U....!.D<....YC..ar..P.&.....U.&;GV)..8q. ........!.yO...%9CF).....#.Q*..I*g.n.^.A....o$..9V|...C.#5j.X...../.XA....&.........6K.XH....6....2.....!..W.b..f(.'.v.. j...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):1054
                    Entropy (8bit):7.223462414084573
                    Encrypted:false
                    SSDEEP:24:FGFiWAXE8uNc/MfTeOwx7rGT9Bgh5F7zOncpozbVS:YFiNluNtfTWx7ry9uhv7zkzbM
                    MD5:C659F16B2459261365A2796D0C4F6380
                    SHA1:E35D6FB8003CA36AB681E260917110F0C1FBF81D
                    SHA-256:57DE03792B8523D9E242556C2586BBE537B0934D93DB28334FB6D5C22260F188
                    SHA-512:647CE9534CC2B185DBDFC08A5C1E8EF26AAA65D74CA2393D825CC304687B0A255FF4DF4331726ACFAA01E4B3C7773DEC7067A70FA99550A7B6F2EC51DA5F3545
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$................&..,!.2$.3-.62.83.&". .(('---11.110u`.vh.|r.BA@HS`T^kW`lZcn`gpekrintmqvruxvxz{{{.f..u..v..y..}.................................:.....0..8..8..2..8..8...............................................+..,..Z.....................................................................................................................................................................!.......,....0.$.....`..`I........................T]...O...........M._Z^......^_N..._`L.`[R....S.RQ.QQS..J.S..L.`YD.C..ACA.A>.<<>..9.77<&.F.L........S..].y%...'l..~C...hn ;w<...p.-....'N.......%......HI..-b....l3...x.$:.>v..x.'.!..i.`9.Guf..a.D.......h......<..].}.VD.......+./..A.9.)J.C.?..Z....q....V1cT#|h.x.)PnB...RD.......b.iG...RM.... ;7.#..0M....`,b..[!{...dU"...F%....a..[......+.wy(..ES.JN.]S!......yQ..5I.D)...TP}...L...dR.@..B.D u.S.J&.QUMdN8...Z..%H.M.b..u.EVXT.I......o..E?Bd.......|;h..R.qt.0,.}..K:.c@.....4...K....,t...+.)f.d.y..)..../|P...\....p.CWT...6..g......

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover350.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 56 x 42
                    Category:dropped
                    Size (bytes):1227
                    Entropy (8bit):7.4755667210841805
                    Encrypted:false
                    SSDEEP:24:vNbzmwi8sGjgJ/ziX/xTfOJtt8Wn/ZN8FA9wtPvvxPdIWUXuP:JCwPsq9PVfWWgZN81ZFbUXuP
                    MD5:5397FA3D21EFFAF1E7970FAAF3F8732B
                    SHA1:88EC7A8ADDFFF79D8FFB8D7AA716198AA07BE22E
                    SHA-256:65A4B71050F4F40C031105C04AC1A288380DA5E4C4EB811062E93F6C7F170317
                    SHA-512:0326205F7EB438155DF2585B450C603A4DE9D8D927B7C18CEE0078AA39E31266B7CA8E61D4A1D7DB6175A530278B0AA4CAE974FC314E361D2AEBE05988994D3A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a8.*.........................#..-%.2&.9+.=0.$$$,,,cW.e].lb.oi.}f.pi.~l.~t.~y.}|7IIH_^]`m~xxv.f..h..n..s..z..}..l ..............................................................................................)..;..<..<..-..<..<..<..`..B..@..Q..l..n..pkw.oz.s}.z..................................................................................................................................!.......,....8.*.....o...f^a`_._].]\.[.[ZUUZT.TSS.SR.Q.Q.ehn...i.............og.\`^.......a......k....V.o.....cFI.HI.HHKKGG...EKE..D.D.K".M..loO?A?.....G..=.&......6l.H........+..'@..)8..I...2...bD.2td..1.~...$X.%...]F.H.............}:|.r.E.H.5.....&.....4....&...y.D.t..j..`.L...9w....g.Bab.j+S.q...I.0.F.Fs.3 ..7@..].F..3P.X.c......+.......7o..J. J#3cAJq6....sW.f.5.y6.....x.k;..V1.>n./`.>.s.......?......W#|H.h#o.\...`.....w...y....`...v.lw.Yh...6.q..@<..s H.{iQ'.y..e.......5`....v..a........./%F.b.)...I=.....|..TF...>.u.\.....P.x.Jf...X.U.=*.....pXb.]...@..\........cR

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 47
                    Category:dropped
                    Size (bytes):1370
                    Entropy (8bit):7.411638138599929
                    Encrypted:false
                    SSDEEP:24:eNhw2/tWXVC2gdQxXXbNlpbN0mzyPzro/pO5tP6AGYLkU:M3xQFJlVNhz0r0pO76A5LkU
                    MD5:D07A75663F792CB518770388207854D0
                    SHA1:03B320EB7D18F4A8D0F32A19154BB59507E4617A
                    SHA-256:B2F7E58A8A9ABAF7E59ACC498D920A5EB94A07D577A425FA681BD45F9FBB0049
                    SHA-512:F98EB4BDE8D6DC4C9FE2B5239D19FD86084D8F6194BD698D479A604C9C22B2021FE93A6E16F7E0AF44A0DD008319D796DF9FFA2AFDEB0412C777E404D88AC678
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@./...................%..(..,"..*.0&.2+.:..61.:4.,*",--444F>.L;.SA.mk.{d.{k.{t.{x.KG:GGEHGEHHEHHHTTVzzz.f..l..o..t..{..x................................................................................................p..u..x..}...............................................................................................................................................................!.......,....@./.....f...aUVVUT.TRS.RPPQPO.ON..M.ML..J.JI.IGG`Ye...c..........K..........................f....W....f....c.Uee\...[[...].........\d.f.X...`. ........u....E.52..q....p|.... ...AXp.B.0'.8."...5n.!...1$..:i..K..aJ...".9;....[I3E..i..R.3..xz...S...X&....G.:..Q.S.f5~.......L.4l..u...*9.f.l....W.b...3..n%.j}+....O.&...XI....Gm.9....".....*T.[!.#'M....d5.v...U.oW.."E....@.b...(N..V......*.A...^.eM...;...,..0 -..P .....z...._..!........`.WO..'[.?(.!....Y^f.'"`.fx"-....~....e`.UB<.8#.....j...4.c.M..B$.a..E...LRX.A=....6..t..5al....._&X..a..Q^.-.Zq.!..i=|y..MU.\.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortHover50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):271
                    Entropy (8bit):5.551571974618987
                    Encrypted:false
                    SSDEEP:6:UKalXtKj2l3gVTWasvR3Z0XJlPGKxDFawD1:UKadkj2d4TWasvR3Z0XJJGKxDFaw5
                    MD5:37C9EE1174ACFDAB091A2A08D0A86E54
                    SHA1:0283E1DC6E12F81720865BE21D8E79F38A6EA833
                    SHA-256:0F568941C50855E1158634F03D99884CF1F1976D76A4441EE789A8CDC85E6A11
                    SHA-512:7FB9C3DBBB67D3A6CA7E6FB5826E5F3C1DC753B2B01F1A9F71B20D4DDCFC36B038483DA514559536906575AA964CE5ADC9F6955148D8A9BED0444E0CD4C548FA
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..............t.................................................T..t.U.T.W..P........~.........................................................................................................!.......,..........,.V'..\((.&.8.$......#.fR.H.$Ve.`..&....}D. .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):973
                    Entropy (8bit):5.3617665088117255
                    Encrypted:false
                    SSDEEP:24:V04zXoKIHS5lamDa9K3doIvt6+vd1B5QSH7:i4zX1NHamlKdqY2
                    MD5:4CB329F2DECF2C40C4D9438130A0947A
                    SHA1:7D6201F30BEB9DD460BD9A7CD223FE875C99D386
                    SHA-256:7F65A80F3E65460B36D38CC720D570EA1014D49C9E96BF2C9B0CF41BE0D28360
                    SHA-512:6CC32C4FC0B06442017AA575858781B13FF3B02C1034D3301A134C87D2575EED50D98143526723E0D032D1248D9BFEA89030A14D0AE20BF3464A03A13D8E9DD1
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......GHJBM\TTSgiloopmoroqsep~pqsprtqrtrststuttuvvwdp.jt.ox.rz.x~.j{.l|.m}.n~.t..y..~..|..u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,......................0P`...uV....M.2a.T.S"...|.1C...!9zP.....'5f.x.C...,.E.$.@...N.. ....|.8A!....@0..G.. \d.....y.YSc...8z|.)...7o...".........a.....<..E .3E.(V..q."M...L.r@.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1161
                    Entropy (8bit):7.4244027585409205
                    Encrypted:false
                    SSDEEP:24:BVgxF4Fa15FInDJh5v7pcIeBL2X2C1JigE++UR9Cej741S5Ac:BgP1LI9P7mIeBq11PvRt41S/
                    MD5:56D2E9097A2E37A3FA8FAF47B03F86BF
                    SHA1:FA16FB21C9BD86283D6CE3C30FCE970A03B90014
                    SHA-256:E58BE22A1B24B34E5BD6371941552B6F5A5E4F5C66DA93B415080C20C0FA697A
                    SHA-512:9563CAAC88847C101B67DE9645146BADBC3556B4CA458908F973A0BC29D328647C838FD5A01D506F70A8B4242E5300D9002AE31CF91CCCE74797ED07A1778B64
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a............. (3+/344458<69<69=7:=8:=9;>:<>;<?<=?=>?4<F=>@>?@6?I8@I;BJ<CK?ELBCDDDEDEGFGGAFMGHICHNEIOHIJGKPIMQLORNPSPRTRSUQUYVWYRV\VY]YZZa`^LYjMZjP]nYbm\dnS`pdfidgkmorcmxkpwjqzrrr|||.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,.............{......8`......@A.E.9.<j.Q."E...*..E4z]....;p.%.u+..N.0.aC....Zz.f..*S.6U....)aX..8.%8j.%.E.T.M...E .h.R.E.K.+N..).d...g.......*.|..!C..B.i.s K.....H.9d._..+.5j.R.y..]....Da..qPa.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):829
                    Entropy (8bit):7.327928778502305
                    Encrypted:false
                    SSDEEP:24:vYCXcZksJH2SA0CzPhxzRdEAgw8OmOD7isG7:/okfPPhxzntuODc
                    MD5:77BF77B99C4BE47B1C317C9D1E4121AD
                    SHA1:E9B145587336D0B6E8D891DB8C7C1BD126F4CCF7
                    SHA-256:0515B424954EC08FA8BAA6886B1A618657C8DDF878BC65BBC56765FE8A6C9E70
                    SHA-512:5761CF58EAB0D88C747741EE473C2D8FE57A2EC3CF728D8F3ADA08056A7A68AC902B423C15E3A1E01000978A5C930A114B2E0AD2F84C3B4258316CDE1DCCE99A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a .............................!. %%%!'/"(/-..%*0*.3.14246568:::-7D1:F3<HCBAGLTVVU]\[a`_OYdRZcZcn]hubbaihgagodkthmskqwtttuy~qx.y}......................................................................................................................................................................................................................................................!.......,.... .......g.g2.................."f..%.-))*+.+*.,+,..--+....%2..ffc.acaa_.R.g.g]^V]VUQLKJJBB>@=:883.F..``^^XXVV.L.CCA...J.d..^].VSQK..B.==rP8.m..o].(...."D...H.V70V.@Ar...?|..A........r.......9..M.@v.|g.....l.Jt......@Y1....2....5.)5..V......:.... ....j.K23.$,l......M7...l...[@p."D.^.`...7....Z.....1B{..x..0@...b..d..t...t:O.=.L.)A.6.<yg..P..'Mf...jM).$0.....6..$@........^.F..2l....<..._...U.......+...X...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):1017
                    Entropy (8bit):7.581487213560488
                    Encrypted:false
                    SSDEEP:24:V7uAPjQoiEAkYoSXvv5RlhY80XH8sHvUeI3Km+qnvKulPYcXwkYTX:V7TbxTSXvdWm/eI3Km53vaD
                    MD5:32B325E835ADFBA2C1551A06445F3857
                    SHA1:D4C1C37DD1E4C01A91974A6F3FDB9FC3CD11888B
                    SHA-256:27D12097BD33CBF0B36D2DA8E7B7A7E745AD725662C76F8E58B9CE9DFA57EA48
                    SHA-512:0EF2A8E4E738F90397287CD5CF25E874C4E8CC1CF59B121BBDED2E5CC11BB2E39B4F96EAED54B197052F32FB125BF2E068C41EACF8CFEA671391A0A708AA30ED
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(..................! ...".$,$%'('&*(' %-&)-+*()1<54487527>;;:5=G7?I8?H<CJAFMEINJMQOQSRSTRYbV^i[`gW`lZblbbbkkkclxuuuxxx{..........................................................................................................................................................................................................................................................!.......,....(.......p..f .....................'k..mp(.................p&$....d....j.gfg].[.VXUTTKKPHHGBJ,.T...pmjkg.``].[UX.SKHKGG??C6.K..mkkh.e.\\X.1k..x+.0.g..7pa.q."..3iH..8b..Cn..3.%..+...vD.S>:D.,L.b_.`.Y..fJ...X..5n.p.i.*P..Ir....W_.(z......@........0./.._......wk..P...#.......7=.8....&.nu{...2od...m..6.8x!"T.`YG.]~.#@.Ym.p....G.F.......-<3.@.jK..b..iy$...Bpc.a..u.%.....6........6...d.;..e.Q...-`.,.0&j.v...v.x...h.C.....L..'.6.9..?..s.@...m....0".q.8..d..SL..;....o....i\(....d..W....J.E.tR$X..O4Y..ED...>.`%.9.`..)(@.-..%.d.EO/N4.D.@.PC.3....2.@..1.../......*.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):1207
                    Entropy (8bit):7.718168641097079
                    Encrypted:false
                    SSDEEP:24:gAdYwHssnMNodtXcnpXLLwrulDPvHAxgCG/+fXKa7jkW0s8SnX/gjIJmjYcUSp:ZdYwHfnJd4LkqcgCq+fXK2Is8SnXYBUc
                    MD5:4CD55D0456310282129345CDA6E7AFAF
                    SHA1:F923122B5EF94DB2CCD6799F757DFF28967FED98
                    SHA-256:0403B8D2A76E4B9F41E7DA8F14A856322247173E65059E61E3E297835EBA7EFC
                    SHA-512:E1C8D01BA2F7C911AE2F294E6D47D96DDFFC4E0D6AF30112867267413BE354AC6891064FC6E49585E1BBDB1ED8E682BD78ADADB5C067963C326638580A4F835F
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$...........................". ".!( !!&')***111:::DDCNNMSSRZZYHS`RZdT^k[`fW`l[cnffebgmkkk`gpdksintenymqvgq}ks~ruxvxz|||p..v..|..~.....................................................................................................................................................................................................................................................!.......,....0.$.....y..y,$%$.#.# ..................=k...B...........:.ylm....o.o....my:...:..yx.x....wwu..tqy=.u.8.yqqspnppeff^aaZ.YO.KJ.FGGDDH&.N...Hf..;q.$L..M..^.D.B..<&...sr......MC....4e...r.EyLb*Q.....A&.c.NBt'S.....'Nf*...1;.w.9..$C3....".Fnvt.,$.9>K.1..]...[....u...8...I...&.`m....y..d:v/.iu....../[.P.%&.$J..],6.7.......@+V..P...4Yc!............P....O..v<...:p.H.(...RH...nj.ru. xe.*.AP...!...&.O...]d...Q...R%x.W.|}.d....RE.....W...TTy.F.:f.a....Sa.U....Kt..c..(.wU......@Eu.t.F.L$E..z.'Hs.-.V._h...W.....G1QO=<r.W}@1...".@..kpeQ=4.."n.^..[(.....X.eE^.(aY..d.U...E.h...=..TZ.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 47
                    Category:dropped
                    Size (bytes):1598
                    Entropy (8bit):7.823584445336844
                    Encrypted:false
                    SSDEEP:48:vsv92EsjvHY5jJeIHgZbX1lBXL6oh6UQ9lA:0v9b5kIHgZh76Y6Z9W
                    MD5:519B8A80C3548ABBFA77F30BD9B9D92A
                    SHA1:F7C04315CE7FC408203E19F387566EC6FF085BDD
                    SHA-256:FC73EABEAA6C0DCB1B4FF78241725A1049B937DD2C6900826B6254CA64782B95
                    SHA-512:5ECCDC7A1BB20A86C78885424F2069626C985732DF0B5D4B400BDBF0D16556A1BD8C6D4A874E67ED1E98F9BC94EC8AF084521AA25B081BB7AAAEED1C704E3FB9
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@./........................#. $#$%#&)&),*+,%*1./2/02/5>23507?5<E9<@FGGGGHGHHJJKTTTLXgQZfT^kWbo[cmWcq\fqbhodksjotorvlrysuwruzux|z{}`n.~..p..u..x..}..}...............................................................................................................................................................................................................................!.......,....@./.....~...s;>>;:.:998.67765.54..3.32.././-.-,+^R}...|..........0........................{.?....~....;}|.}.|.{|{...yxx{..v...uuvqv..y....nO.<...a.F..2k.x..e...[.4i"%J.% ...I....O.h.3...A}..D..N.....!#.gO.].p.B.(.&L. Q"r...)W.,wp]B;7q>|.S...B..M..I..........W....+X.N..uB.l.Q..z.O..u..d..n.`..%kVI.)h.l..O.<|h&\Lfg..c....%)."f/g^+.-U.{......D''.}9.J...z~+:..]!.......1.........I.X..4c...}F,X.Wo..rv....|0..:.x..y.qG.o..F.k4.F..BH.uf...r.(..<=LbC%.\..&.p.'..`.G.....x.Gh...G...x..R..b`....:......`.`..L6.KV...!|a...q.$A3!.......J.....B..%`0N...p.G...P.....L3......A.}

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\DownArrowSortInactive50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):271
                    Entropy (8bit):5.567967951154983
                    Encrypted:false
                    SSDEEP:3:CHBazwIfNSeauGIdndZ58vSkcFs3cI/pjR9egBqVVK8GFm8ae/rzl7/lJlLF395Q:3zwQNEiV8vSk3cI/392VVKNlzvljKT
                    MD5:8812CBB7DB0E70442AA7C67A79705955
                    SHA1:D750DE85C362EC8DE70FE1625A9DEAC45862F58C
                    SHA-256:620D74386240EE759FFF8F89193189F8664C049E8250954E8A29021D9AF851BD
                    SHA-512:12625188A6992965FB97C2BA414AE4D3D849320F2BD726C25445887A8592D59BE3F217C0BDDBB1521BAF436E1970283E1FF9913EFE833CD16B745ED73475A43B
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....+.........................................................................................................................................................................................!.......,..........,@T".@.."..d.T....RP....Fu.x...c.0.......`8. .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):583
                    Entropy (8bit):7.2343860491924445
                    Encrypted:false
                    SSDEEP:12:W9QYhrsftZ6cBGjmd1avIGeDiJP/hsFbL1XNweODs9zC2sD9y1j22:FYafjel/hsFBmDs9zCFhijJ
                    MD5:C8AEB4748BE723126577D46531718E03
                    SHA1:AFB0DE529BE28627647F1BA974F61812A24CB52F
                    SHA-256:C481E6877FA808BFC3B64137A8D2A0CACAA5F34F446AD598BC9BCBF768F4D4BF
                    SHA-512:B867A9E0AAE7BD26F71BA55D431D03C466F59912960757724CBE83079B1315C8DA14ED369BA7AD3C938EC0562C28089B7EC2E75D7D225643AFF1057C222C2491
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a............!..).!1.#2.$1.&3.$4.(4"+6#.<.$D 7U"7T%:U)=W.<q-@X1CZ5F[7H^:I];J^.@q.As.At.Bt1Oy?Z.EVmQ[h.~{?n.;o.Fq.Es.Iu.Qy.Du.Iv.Jw.Ev.Gw.Fx.W~.P|.S..R..H|.\..T..T..X..a..h..p..[..d..k..l..r..s..q..v..x..x..z..{..z..{..}..t..u..}..y.................................................................................................................................................!.......!..NETSCAPE2.0.....,............y.....s....RKPL..Q..o.oSm_`]\[YF?G.l.Xa<<:1%.# !.i.eBCJ..,.$&..yoTbB^....2(...bI....")..qVh7.......0..V.IG;98.&.ThEE<954-()..uP<T.0AB....0X.&O .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1143
                    Entropy (8bit):7.1672698582384
                    Encrypted:false
                    SSDEEP:24:tVVDLivhnToDWMel8mKWPP/FoqPx7BO9V6Ge:bVDLy2xcnX3/ei789cGe
                    MD5:7B3EF931208584BF4E7AD9F75A25BA8F
                    SHA1:9714C362CD9B3122BF04924092FFC87E703B4BE2
                    SHA-256:6D0838B86904A2F9C0EBF623E84363B87E672856D56C37838F164D5A67FF1F7B
                    SHA-512:629FC1ABD234B8F1445B45C3C2F205371B8B5445848F602C4B36F8C074C68A0A170241644FCBA6B21C08D88743ED3AA747B65BC27C352B431E0D9EC64EBA6011
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a................................................/../..3. /.!/."0.#1.$1.%2.&2.'3.(3 (2!)4"*4'/8.#F.)Q.*R.,U.1Y):O>?@(;S7EW0Gf2Ou5Rw>UrYYY]\Z]\[^\[^][_][_^]`^\VZ`rqorqqzyx<a.8`.>d.9d.>m.?q.Pl.Bi.Ej.Ek.Jn.Ko.Or.@n.@o.Ao.Ap.Ap.Eq.Er.Fs.Kv.Ps.Sv.Tw.Xx.Xy.\|.]}.Cs.Gt.Ar.As.Cs.Bs.Ht.Jw.My.Mz.Nz.Oz.Jx.Dw.Ky.O|.O}.N|.P|.T}.R..R..W..T..Z..Y..Y..^.._..b..c..h..l..o..f..i..q..z..p..u..O..T..Z..[..]..X..b..d..d..c..i..i..o..m..p..v..v..u..y..{..z..x..}..}.....s..t..{..{.....|..y.....z...................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,...............H.....=[..i..J.H.(.0Vh..1...3..8U..Ib.L.Zi..(R2..|....[.f..D.A~.!.'D.i. N...G.....h...Z.....hR.Le.z..R......H..^.vR&k.$=.x..@....T.`..T.\Y..i...@..&.i.B.-....OZ.....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):845
                    Entropy (8bit):7.5841925299399655
                    Encrypted:false
                    SSDEEP:24:v6QUr5eCs8iiNn5dek0K4WFPoQwvOGNUHQwFNunPuk:SQ45eCs8iiPde9yFOWqUHJnuR
                    MD5:19B0E150211E195A5648894EE3884DAE
                    SHA1:0138F9278FD9E10A4D46F4E813058FC18E25E995
                    SHA-256:A853EC13C607C41B6D723355B0C326C8EAE8B07739AADC604F9526F12375B240
                    SHA-512:3B89D43DE59417D2A1D281DEB23FD89D49C85DC907AE2285C5C05C072A46BA9236CBDBE70AFF55AFFB00EE3CCA0D75F0C853CB5045CC899C05C9C3D289765B76
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a ....................!..!..%..(.."..)..3..5..9..<.",.15753==>#?c6AO+A^2BV&@d+Ef+Eh2Fa5Ib;Md4Lj<RmNNN^^_BUmFXo^_`GYpM]sdddnnmpoorrsywt|yu.|w?\.*^./a.4e.7g.=m.B].Eb.Um.Ik.\t.Tt.@o.Dq.Ju.Fs.Jw.Nz.Bu.Ey.N}.U~.M~.~..\..U..]..m..d..d..j..p..m..q..U..\.._..`..k..g..i..n..s..v..{..s..|..w..~................................................................................................!.......!..NETSCAPE2.0.....,.... .......x...............k%".".........].&.()..*.)..+*+)...(lxtvvuttqoopon.mmh.g.j.(^pJMLMIIFDA:=:911/.--._.isX`_XXWVJRR..A=<9..a..`..LY7XL.R.....b,.g.E.s..HA....(A...m..}.......I.Fz...B..Lx.....&s.(.2....`.r(...u7s.,...Bn.@.#CC...:.<....C0`l.09.*..<\F.:..#.V..........{.b....5d.@........{N..1\.T.2eJ.'N..L.Q..&.LC.d../....K.+LD.1R.6.A...3....%S...Jf!@~....]F..1"....9h.......9.%.....O. ......oPfP .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):971
                    Entropy (8bit):7.44518128477496
                    Encrypted:false
                    SSDEEP:24:V26PSCZZnBmkYqhVDe6RZI+VVKpfpFw/snwn2RB:VfZZZnZ5ZItO2z
                    MD5:485008D529CCE21D58DEED2652E9C922
                    SHA1:97358637342387239EBAF71F45DF55D8EE7BA2A1
                    SHA-256:068448F38971767E73CE90B51D7043EF4226C9CF956CC0C8193386C06F92F440
                    SHA-512:A24C8AE68FB5513572BFD5D127A8C2DE47AA79353A65BEBD10F19DA851F9E72447A361AFC973E1F15E7DAA7041B68E735E98FDEC7CB1D11020A1ED375E1E0C90
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(......................................... .."..'..)..$..). *."+.%:.)<"'.!.>%1?<<<.)O.3N&1@*4A,8G5=F1>O 4P&;W+=U4G^8FYUUUdddvvwxxx,Y.2].3_.5`.7f.5g.=m.8k.?p.Ha.@o.Os.Dq.Uy.Tz.Cr.Hu.Oz.Bv.K{.R}.`}.Ez.M~.]..W..[..W..[..`..b..j..l..p..U.._..e..b..g..m..j..s..v..}..s..r..{..t..|........................................................................................................!.......!..NETSCAPE2.0.....,....(.......m...............l...m.......\[...Z..[..^.].............Z(..k...ibgb.`aa__T.R.HPIG.DL4.d..mbT_STJI..EDE=.9./3/.0).P.c_a.TSSRHIHM..).C..u8f.`...!I..P..l..~P..xB.c..9p....!.6g..k.......4.A. ..#.:..&".0..%.2....7..D8...C>....E.Q....(..'I.."..z.F..X.|.).G.y.<...Yq...h..Xb......v6...|.:=i."...."f..-X..R...9.d.8....9....#............A.....m.......z..>(P.6... ..M....yb.H....q)..o.....?i.k....e..{...m.......^...J..M.G.!.z:...0.v..Z....h.AF.Ydq..VD.D.N8...$.`..?.....pq...H .....A....;>.@.....!k.P...t....Kn..P ...Tie...8H .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):1575
                    Entropy (8bit):6.620128508150609
                    Encrypted:false
                    SSDEEP:24:tgYYBJo6zHggPCzGIYA5gRE8DWId4+CZkqIjj1jh0AFTEQ:KH8AVjE8KIa+QkqIXb0AFTh
                    MD5:8982C5648D53A23C0DC5511C4CDFFC2E
                    SHA1:020DA7185E35B35E5E74B5B34EDD19ECB5BBE64B
                    SHA-256:7E06DE793731BB970E2E4C60D6FE2740890AF68768017BB3FF3A58239394DE3B
                    SHA-512:393B2F1009D83F606A9B97F1F47F446BB8CB18871A0935967E9847C920181BD763A55998877ACF6770BCD5FCDD86C39675FA932B82BC70FDE142434DA9378107
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$.............................."%%%.--//0/00223.4T"0B$4I(8L!7U%:V-=P$;Z*>X0>P.7a.BZ2D\7H];K^.Dx?N`%Gu(L}@OaB[|qtw{{{)N.6X.<_.<a.1c.9f.?j.7h.=m.2i.?q.?s.Dc.Rh.Be.Kj.Rn.Yt.Vu.Xv._y.az.Cm.@o.Jr.Dq.Ju.Qw.Rx.Y~.Es.Iu.Nz.Au.M|.Q|.Q~.[..W..X..U..Z.._..g..b..k..`..b..j..k..s..t..{..|..U..Z..]..d..f..l..l..s..v..|..p..q..z..u..|.............................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....0.$........H......*\....#J...!...e$..". ..yC...(S.......0c.Isf....$..G..<>....T..=H..A.g.....4.h..AV.j.*.kWA`..#...>..,(.[2X.V.;...&K........,..H...&i...4...2q..#.L..T23..s."

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive350.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 56 x 42
                    Category:dropped
                    Size (bytes):1777
                    Entropy (8bit):6.775367790811127
                    Encrypted:false
                    SSDEEP:24:v+RtgFU7kl11FxgYe/rUQVLV5tU879tUfPQInQXcqwNt2+XKl+9:KuO7kl1PuZogx5tV7uPDTfAl+9
                    MD5:5816E8374593ED27530C0166E76663F9
                    SHA1:9FD4EA9610FFCBCAE6FD1A3C873B52D147D3A7D2
                    SHA-256:DFA93C64CAEEB3FA0FCD4D59AC5118BE2EE763F47ADB8B5E33B9832FF6DE2394
                    SHA-512:B7FB82387222DDC477DEB4BBAB94C8D39187DA74C86541BE70C4B83C2EEA005C9B31C2CA61EFAD7B9B6BEFFBAD3A03FD4BFE2486F1B0A02A2A9595B9D49F1593
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a8.*...................................$6.%6."9.&8$##".>233.1G.0V.6Y$4I,:L1>O.:`#?c7H];J]&Ck+Fk,Hn2Ln9Qo Cr&Hv/Mv2Mp7Pr<Tt;V{CRh@WtDZvK^wD]|J^xMa{Re|defefh/b./c.6h.=m..h.7n.=s.B^.Ki.]z.t}.Ao.Dq._|.Fs.Hu.O{.Cv.Ex.L|.T~.R..B|.w..U..Y..W..[..`..b..i..m..r..U..[.._.._..e..a..m..j..s..v..|..s..|..k..x..{..|......................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....8.*........H......*\....#J.H.......h.c ..C~<.......\.'..0c...g.C?.......@wB..Pc../.*].../`@.P....'..q@T..?...c....t..V...p.....4x.Ac....o........\.hY..c'L /).dI. .{...c...

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 48
                    Category:dropped
                    Size (bytes):1477
                    Entropy (8bit):7.771062238092598
                    Encrypted:false
                    SSDEEP:24:c/XP4Pv5tInaahO8v+7vCcd3CHc5H/v3xR5SXVC27hLzWWSrXJLDV6gq4lihWdmp:cX4H5tzh7fXv3t099XWW6XJN6keWJy
                    MD5:B7F83955FA3691111DD8100C6AE8563E
                    SHA1:17675191A3AB1012C653338BD1194A7CDBC9525C
                    SHA-256:45B4BDE876BF4B330F3B784ABEE55E11DA2CBBF7A443D94150EDD169AF11419C
                    SHA-512:3E53AB3F65C7F4855D847004EE0DD273BF5961E3FC29015F0300196516A9DC563056E2DDDB9BCC1154D382785F540877623163FACD1843B84D3DBB6079E5EF12
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@.0.................................#..*.....2..3. /.!1.%2.(3---"*4(.7<<<$5K)7J,9J 5P4Id$Gv.Ls%Hx+My1Ms3Pu8Sv4S|CCCKKKK_wE^}ddd)O.=Z.>f.1f.=m.3k.5m.;r.C_.E`.Ic.Oh.Pi.Vl.\q.Oo.Pq.iz.Mp.Er.Kw.Pu.Pv.W{.Z~.Ft.Iv.Nz.Bu.K{.S}.?y.Fy.M~.W..\..W..[.._..i..`..b..i..o..q..U..\..^..d..f..l..f..h..s..w..{..q..{..c..t..{..v..{.................................................................!.......!..NETSCAPE2.0.....,....@.0.....{...............................v........y.z'..........{z.w......................y.gz...........$...h.....g.tmn.k.kd_._].Z.H.2E..&Q.0a...<......D.H.&H..6..y......Bq.IC#J.>..#...8W.``..Fx...Y...~...K)%a..._....j..8w&p.Q<Ao...EM..K..\.T.B&.S.......].}..f.Q...2.b0!.&....i.*....p.(O.X.H.vI...-P......U"twJ.ho.G..A.TK.2..,...qb.....9...=s`..y..............d.y5eA....,.L.X.~8.N.tc.Y#...t(l.....e....1.&.c..^.a.R` @..<\. c...B...!.e.%....D.....8 w....^...a`a``Kt....C...X...x...2.XK.!T.1..8...V*.. ...h., (..(zg.XT....F^.@t.(I../(.%}.mhTl^

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortActive50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):290
                    Entropy (8bit):5.952945903768927
                    Encrypted:false
                    SSDEEP:6:UXJTvEDe8/B0kt7lxlf3z7QetJl2Ml/JlbNsll9L8EN3:UX5EDe8DtHlLketJNBqllRX
                    MD5:BC33A5ACB736582982B0D9CF64D5E70F
                    SHA1:BFA1753CC21DF6B23974EBE9FEB4541C78428A93
                    SHA-256:946BDF2ED467BB50A582ABC3235DAC3F81C8BD2F268D203D853E72DEDE997709
                    SHA-512:1E8268E6864CDC7234E7C9F2BC135D7EF3CA222653699C9CCB74F243A99CF121D6CD4BCB3B655915C5AB0646CE87039C2E58191DC20DF01F09DD66660F61A22D
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.............,My=X{G^}9\.;]./[.?d.:d.;f.@a.Mo.Wv.\z.b~.{..g..i..P..................................................................................................................................!.......!..NETSCAPE2.0.....,..........,@..4..Z.U.P ..F.XL...G.....T'B...!V..`,.. .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):584
                    Entropy (8bit):6.4743101953151765
                    Encrypted:false
                    SSDEEP:12:0hIdwI27aTyMjPPSgbpNSc/6RXoaB/NwQhW3dHxB/a8BUWCiUEa:0qU6y2RpYcsFdXCpHCCjw
                    MD5:32A7968C2CC3BEE311818EDAA7653CB9
                    SHA1:7B1C0A82591A03AC02BE9B5DD23797D6609F8850
                    SHA-256:6087EB466499585489E6BAFD504FA3D0C85852964856AF5755D8AC3076AD19E2
                    SHA-512:976C60C2BCE21896AA5DB2B5158353BDBBFCBEE8E7AA668842B230255734DEE00C84D87B8A8C6F1CA6A197FB8CEA63752553E6442EBB1DF5B7964E539B86B427
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..........,'.91.C;.F:.D=.G<.E?.H>.FA.OG.lR.xd.xe.xe.xh.xj.xk.xn.xp.zs.}q.xw#.............................*.................................................................................................................A..B..B..D..B..B..B..B..D..B..K..K..K..L..M..yyz.~.....................................................................................................................!.......!..NETSCAPE2.0.....,............w.....p..pqqp._V^^W.W]]WVn.p`UMNLJJHHFI l.nfO>::+#3&"(.g.bS>;D..$-"1..P<E....3(.h.C....!-..wmcP2.......3..mfP>C.65.).SBA:./-(...d.@aB....(l.`.@.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1118
                    Entropy (8bit):6.096727262207109
                    Encrypted:false
                    SSDEEP:24:5AHoSahzjIPUy3rWjoHRGE15X1GtoCltddRBoAjjSxn:aHvq8PF3xp1uoCnexn
                    MD5:8FE489C916A670D353A60857A9A492AF
                    SHA1:277AA43B57EE757987840F44427B99C2D9A883B8
                    SHA-256:7689FD162F0E8D760769052DBD30991A7DB0F460D46B4EC93051CEE50931FC64
                    SHA-512:F00502641D156FEEB3B943D058F4D5D1B1E88082AAB8A7AA13CD97857983EAE33BFAB31E2165AD0BC03D9793ED60FD92E9D259BDC8C1F5AC5AFBAF34010F00B8
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..................................... ..C7.D7.C6.C8.C9.C:.C;.C<.B=.C>.C?.U>.C@.FD.k^.rU.sd.sj.BB9XXYgbTXYaXZaZ[b[[cnorqqrww~.b..c..f..i..z.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,...............H......[....#.L....../j......%^.....r...a......2e...P....4...S*`)#.PY*_....S.M.:g.p.BE...B..L.+..7.Xd.TF*.'a....uT.Dw2...`...O......J.*.I.....|....w+0...(.`.r..u...6a.D

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):780
                    Entropy (8bit):6.282630605323849
                    Encrypted:false
                    SSDEEP:12:vCJbFEakMh2Pd9vVb94FNQwmorSSnbijKmeI2PwnS9kDh4BBS5arA:vaSalh2f4FPWSnrIXnS9kDh4BBSx
                    MD5:FCAD959ABB10D3227175AFAC4A8F359B
                    SHA1:16DF57EA577FF41C1DE15EA714A8861F43D40357
                    SHA-256:A75F0C5B10A2363A4C8F8B9B2BB77DB3B5B64CC54FE797C64A28A0DA449AC7EA
                    SHA-512:B9078AAE97C74EDD4D4D7F443B2567BB4016A31B4EEA9467DF0D887AD8095C52C915169A8830A2B63B97AC031E22D2C642D6F65FBE0FDD84361A1170EFBD3819
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a ...................&.-).2).:..93.;: 027>><X>.YA.dI.rg.si.`T5NNMa`\ddcoomtsolmsutqrrz.s..|..u..{.......................................................................Y..f..p..p..p..poo.os.pr....................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,.... .......K...............G.........>....;<<.==....<.;...HJACA........D..E?1..0/.)/..)**(..6.FA2422.001./...++.8.@...2% 4...*....F...-.."b,.7O.9j.i.!....!..sV.^..E.2.1....J........i...#.....H(...#Z.|.......U.6......$]...L.....aB.N..R.dp..... l.@.l..2.u..n...W*.v.Y0j!.).m3...2.4......7.~e..w.C.!o#.]...7..*\..sg..Cw.=..i..r... ...c.>............;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):868
                    Entropy (8bit):6.412724524922268
                    Encrypted:false
                    SSDEEP:24:Vsy2QH4CsWHCkVEWD/l4tnjDQvtc40fjd5n:Vstk4CZFEWD/+9HQvar
                    MD5:0B12C72878723291127753DA127AE8F5
                    SHA1:F7F0CB8A090F4C09C90647B4441A3CDACBC97F29
                    SHA-256:9F6989DFE8324B8AF0E04B0818C542A1CD8B5B65041E91C429D93ED049D917B3
                    SHA-512:847C381DD5D2D4EDDF50092BB8C97C600A018DE47C67732C180069A8BB51DE3B01D0F41E2ABAE117890B1D72CADB09DA4A579F9820016FD416EAFD226A2D04E4
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(........................#..)$.+).0&.8'.8).8*.93.76.<<<TE.TK.TP.^W.TR.r].~_.f`.oc.zg.tl.|h.~q.UUUdddwwvxxw~~~........'.........................................(..(..(..(.."..*..*.....F..L..K..i...................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....(.......F...............E...F........EA@...?..@..?C.B............?!..D.. F=9..6..5..4.43.4%.>.?.71.10.0/....-..+.$.;...F92.0.../0....+-.x\.....{0X...........N...,.........4..E.... H....A..Wp^I."R.<.._......i..D.2N....9.B.4.....&.0......U..m..\.v..1bAn.2&....eL....E....bG..a.............H.Ly2b.D.U....=|-....Y.UaV.y.-....Rg.&{...}...t.H..[....m.A.........B.0.C....'R.<....x.....,@.~A{.....D.C......A....@.....h..D...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):991
                    Entropy (8bit):6.654550673762326
                    Encrypted:false
                    SSDEEP:24:ybmwDzRIIv+z9vyxce3cWfbY6CRkumHl8vXpC2:ybmUz29z1FucWfbYSivXpF
                    MD5:9B3A05964C732F339CC1313C778CB8D5
                    SHA1:D71AF8BC0DD8FF26F02FF6A210CEFBF18B72E156
                    SHA-256:BE8D3C70A439B64059BDE61CAE859D6E7D138EC8949416216CB237B7F0CF286A
                    SHA-512:1EB58B8DAFDCA9647339C1EF9828494C989C9AB0ED2BBE1D28D583F87B5D83A4C22532147FB69278C5599D9EA021866844FEBBCF3FC5DFFE52E5E14762D4AC6A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$...................&..*..'".%#.%%%---11.443YO.eV.gY.ka.{e.zl.zs.||d{{{.j..s.....................................................................................!..+..,...................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....0.$.....K.......................A=.=<.........>.A..........;.AAE.......:...KI.......?.G.;.KF4.3.312320.0.//0..+.+**/..6..H....2.........6...o.z...o.?....T.C....f.S8.E.}...K.Cb4..0&......4..,....O..X..=.$..x@...s+J...H.A.>.... ..."C..W.$Ey5x.....W...|H.kSy.P...+...H..hQl.......&W.L.U|JC%6.Va..|..a...".A"0+...s......OP..*...5.!^tz'...Y.r.{4.C..Z.A52k..:.....)9.e.6:.....1"....>........,G.....~Wv.7.+....q./..C..AtSs..._T.-$.9G.W.s(.......Ol..HHp.i..B...?....|~m.>..T.......@.`c.-..B.,..c.)....C.`d.%.+...1...tP.R....P...d...L ..`~.A...i...PIH .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover350.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 56 x 42
                    Category:dropped
                    Size (bytes):1195
                    Entropy (8bit):7.061266764614232
                    Encrypted:false
                    SSDEEP:24:vwlZwPwSbfJv+9x+5xxI6B/nuxDTPcSnob+tw/EN:WKPJIr+5fI6B/aDTEbl/6
                    MD5:6877F76CA159F4098FE31E56B30D627A
                    SHA1:CB08D54CC79A903539C321755A482423B2E6CA4C
                    SHA-256:59EE3E29367344DD77203E468E88FAC984C1527F2A315B11FF31EEC5B387DABD
                    SHA-512:51C97FB9E73AEB1D6B346722105F5237E40470731D06030A4C09F9278556A4A6D7384517058C69727735590A299CBEDBFF4525A0EFAE5BEFC62BA244971C70CB
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a8.*...................#..#..#!.,#."#$332NA.RB.TJ.eV.e[.g`.vp.zr.gfbihd.e..h..q..w..}..q2................................................................................................D..^..`..`..`..n..`..c..m..n..t..............................................................................................................................................................................!.......!..NETSCAPE2.0.....,....8.*.....S.......................RRS...............PL........KM.N..............K................L...H....PRJA...??@..>.>..>=..<>..@...SBp..q..A..o.Xh.....a....E...Y..@.F?D.L).C....u$.1.!.2&.8....2,....P.)D..D.R...#......2z...@dP.9..L...J'.m.T'OET..5H.+C..&6.H*q..O.De..j.\..h.....u.V|...B........]._8.L..z....$J.7j..k....~....@M.-h#G...|.8,V.l......w...)..#a#v.-..F{[-..l..@.<....).E...U...........B............Zm..u.Z9H....:tQS.!x.UP..][.B.K}.5E[r......z..D..H...i(P..<X....#................6....~.t..8|....Ti..8..Z^..q.a....}.....[W.....E..W5

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 48
                    Category:dropped
                    Size (bytes):1317
                    Entropy (8bit):7.086934855844303
                    Encrypted:false
                    SSDEEP:24:d6PpM+cwfO7v+7TraLKc8D8amP7Mj3CZ33HZsy4J+4zghFefLrfUuAAxQ/7A9:d6B6q7vPDQUg3HZWaFezrfUFAxUA9
                    MD5:A7D235698DEB780ED25C0F67EA61DC15
                    SHA1:8635540B66B45C790717EB085A0133E2276F3680
                    SHA-256:DE02CA73E55361F360AC3D29410451BEB2B158321B02C2C150764AE78D3424FA
                    SHA-512:DEEC7A654D450FCBCCB6E91902CF75FEDFE7C9017BF77AA72208D6669CACBA6584A2FCA18279824A4F3A9975B5D3FD6817E3989187D2B81B756C9F77FD0AB07F
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@.0..............................."..'$.+".3(.=0.---<<<C7.C<.L;.Q?.CA.bY.iZ.t_.CCCKKKddd.x..........................................................................................................................$..............................................................................................................................................................................!.......!..NETSCAPE2.0.....,....@.0.....P...............................J........K.O...........PO.K.....................M.FO......ON..........M.F.N......OEA..>.>.>==....#G...s.X.0...9$,..D.:(N.......<B..Ar..&O....%..6^.xqC..$..A!.G."y..Z....-...)..9s....cP.%Q.\.R..6q.....@...!4...'..|....cuj.jU-V.*V.@I..`..eDO.^.?.b......Gm...t.....5.....&.... A..5.nfj..S../..x6r..@D........j.+.f...z...G.X.].L...m.y.r..3........fg..C+j.e/_.l.T`M.....G.w.%2.T}...~..f..5...KN.P "..tVy<0..-.y...2...tS..W....K...X[...B.}..A...(b..6W!n..5.x...1..<.....4.s..FU.3...,....W.R.[=...d.[....Q.db...x%..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortHover50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):290
                    Entropy (8bit):5.531392265855522
                    Encrypted:false
                    SSDEEP:6:qEWvv6m8OlzYPFluCFG/3GMYIuNzJl2Ml/JlFUkq:qE8vF8G/349NzJNwr
                    MD5:D3CA433B3AF777A00BDE2C042F4F9602
                    SHA1:145F710B392DD1121BFEAECD006693FA00A95242
                    SHA-256:B1D931431CB28BDBB070D4B7DDED5116D29860B2102734AE7A71C2CE15E70FBB
                    SHA-512:0A1CEB266016CABCDE7ECB51F4EA73482B923719FC7DA1911F426158B74D4679DF7672648B6FA7A0C0C7E014967C23CEE2C504A395E1EA9805C177B6EAA2D63F
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.............................................................h..n.i..i..j..i..|..~...........................................................................................................!.......!..NETSCAPE2.0.....,..........,@.D".T....X(..f.8H...&.....T.2 ...V..H .. .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive100.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 12
                    Category:dropped
                    Size (bytes):584
                    Entropy (8bit):7.208985387561036
                    Encrypted:false
                    SSDEEP:12:8JxMeyHmLy8lcvTGRL2Bg9EvFvaZzXNwEfOCSmCNq:m/yiy8lAKRqAEiFGCp
                    MD5:33555A8BC15AE24395A621ABC069499E
                    SHA1:BE7BB4806691EB8ACFC4736025E867296AA1B90A
                    SHA-256:E4251EA0E478D64A5367F45DEC6389FC08452F618A97E070D770F7CC03B421F5
                    SHA-512:E0F9D0BC2038A732E2F852389108867718C40F03860185C9BFFC44BBDAE6153AE70C5A75E2A573ABBA2049D33682338901E0D9981557E486B91BD53BA02B41AF
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......AKXU^hT^j^bfX`j\ck`fmchohjmgkqknrpruqtysvzuwxuy.|{z{~.y~.l|.l}.m~.n~.n..o..w..{...............................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,............y.....jmmj...."........g.h$oeb[[UOIGL.F.+ocZW6/N428.B.'._P,!.J19..yh.c]%Xm#0;7..,EymX.-<.yi'yA.......?.A..RMH6;5....d_VSPJG3...|h.@A.....X..J.@.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive150.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 24 x 18
                    Category:dropped
                    Size (bytes):1155
                    Entropy (8bit):7.219868215771764
                    Encrypted:false
                    SSDEEP:24:lvWvHB1YEydoCKQJZZuILxPDPxxP57gBhaCJ7eACmG:VWvAoCFvhLxLP57/CJCfp
                    MD5:327C09C250A715E37650A1E974387043
                    SHA1:E832D86C1FCFA32B784C4EDB12C16E2F37551F5C
                    SHA-256:6177CD5534B6D8EBCB7E9384EFB87136F3B6490AF187CE993D4EF5786A5D5948
                    SHA-512:DE9CD9D11251628392A4FEABA8DFD0DF7FB6D5D349C32B156F747E6D9FB38D49F40872037F3BB3E26777E3CD10BF8DC22093F6DE9CFCFBC9BC3EF9817662DD29
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..........-29.4:/4:15;16;37<58<69=7:>8;>:<?/8D;=@<>@>?ABBBBCDIHHBM[WWWXXXXXYYYYZYYZZY[ZY[ZZ[[[\\[^^^LYjMZjV\dP]n_ac_djTaq```gjnoonep}qqqwwwmu....v..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,...............H.....%T.P.Ci....H.`. .8X.@a.G..9p@aP..>{R..c...:0.<...TA...)..)R..Aj.."....@ul..Q.*Qz....0^.p.0(.4..^.b.+.+O.d..h.0S..*m.X..>....H.Ek.....RU.r....@!,4}.....lu....O..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive200.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 24
                    Category:dropped
                    Size (bytes):851
                    Entropy (8bit):7.479804055389528
                    Encrypted:false
                    SSDEEP:12:vNZTWguGtseTylil76HjmanNf1agklrhNcCaeW4gCVQUg7PhlJEhvKyP2E50Uj2U:vnW/sseTgRyantMXrhDfg+gL2hC7UjSE
                    MD5:372F6CC49332E8D00C6556DCD1BBDD6D
                    SHA1:B342CC5575BD1B66D8041CCC1BA0E89E7E552C1F
                    SHA-256:FFFE4361220F2A1399ED3FDF28BF0BF4692E8C4509D8106606957F2C677BA521
                    SHA-512:33019E3CF522EA6F8D7FB27D607B26ACDBFE499005F33CD3821B5D2599008BFBFC40275E7F3949F2BCA159152E954474346DA6BDB7FA9711B00248881BCD751D
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a .............%."%(/,*'+1*.2.14245668==<-7D1:F4>K>@D8BODDCEGJNNNLNQMQWLU_a`_TZcY_f_`a[bj_kybaahhg`dimmmponppogkpimrcn|fp~hr~tssuy}lv.t{.z..}..|.........................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,.... .......p...........m.........L................p..'.'!........'L.o..olk.^.'9pfgee^]VVUOONGEECA@?;.N..ik.fa^Z`bUUTI.FCCB...pimf.a]j72hS.Ps....a:...&....Z.9....T..ss&.......S$..j...rD..>3hD...F..,G..+xp.77.....G..){.:.^.3of...(...W.S9o..4op.@....$...Mx.N....2}.4....<W.i.F....4d.p.....RX..i/..`w.Q....2c.p.Rm..C!..S...:'N.L..xi.7g:..BN..*S..D.t..Ao..|..9.[.(A....B!:...u.,V.P.=...$.o.P.P....$@........7P.~........;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive250.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 40 x 30
                    Category:dropped
                    Size (bytes):1004
                    Entropy (8bit):7.329948145516871
                    Encrypted:false
                    SSDEEP:24:VNPoh19IxcCuAdt81FsAPgxlPXVVz+iCO0OpKecRzjveG:VZonmxRyPAlbzAO0BecR/vf
                    MD5:A29A3CA86D47644B77FC653C992D618D
                    SHA1:C68E21DEA7CE785A5E94CC39285D0A270D2FA22A
                    SHA-256:737AA28544F32AA2C0914CBAF760C26634060908141511EED9210DA60ADB1C5A
                    SHA-512:C76321DAE0DF0496931D578D47DBBBB605A2417B9BE661E2D5A80CE5C22847D857B7AB0A82CDB23F15531F223C03DA5081FAC726D9907DC8FC9380E719898435
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a(................................ ."&.$+!'.%*/)*+'+0*-2.14345<;;A@>7>G8>G9?H9@G<BIBFKEIMJLNCLULNPNPQNU^RSTJWfQYc]`dccb`elehkwwwyyyv}.....................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....(.......c...............`...c.......,+.....+*.1.-.............*(..X...`aa\ZZY.QUQMQI.G.GB@@B5.K...\^.YRRUMMIHI..@;=878/.B.^.Y....KH.B.=....o.!I...+.%..*>xX.6MH@v=`..-.7p.0P...hF.\.... ..$.....%Z....I.i=|.`..&...m6.... ..x,..re.......X./3@`....t.u...H....p..a. I,>L.*..K.`.......B.8PQ.(.z..x.a...0.4<.x....Z.q.m..."...q........!..)R..|.2..C3G.H0`......H. ..."..v..K..].X.N.J.&I.(.'.jV.2.../..%..Q.8....I...7.I.~.H.C_..$.z....~.4....0.g.....c..M.(C.........}..@..,....]lq...Q..J(qD.C..k..@....Y$..@8...<....<....L.....h..&..B._v ...h.A.h..A..\...T...c

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive300.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 48 x 36
                    Category:dropped
                    Size (bytes):1161
                    Entropy (8bit):7.617872811408397
                    Encrypted:false
                    SSDEEP:24:BhpXJkenQE8l4bWw7IAv38yDMM0J7rsgBtGwHp8LuyE8ZnhsMnEmgueWxr:v3vbWwEnJsHwHp5yE8ZnhWRY
                    MD5:5448D39A3C919DC481451301B9777BE0
                    SHA1:1ED78333CFA526E3AC37C35004F8F25A327F6648
                    SHA-256:F3BA80FB20DE28493E1C5ECCB8562D4A55764EC75FE7482D487E98181E00F8C2
                    SHA-512:315B8D0A04782C9AD7805416A4465EE4E98BFCE695CC5C21C24BCDE2FCDDF4E19ED46BBB4E6278D56031EE712513D1A4F137BBBBEB847E1B36E5515B1A4F9E89
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a0.$................... .. ...!$$$,,,111=>>?DJEEFAGNEIOHLPLPUNYfT]i[cm\j{bhoejqjosnqurtwyxwtvx{{{n}.q..v..y.........................................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....0.$.....s...................q..s.....K2.....2....5.K..........-.LKL.......%....rr3.n.-..ljlif.^^_[T[S.RE.DC.>><;;F..I...n.i._f^[^TTXTR.. AR... @.. ....8n.TSS..|..L... .r..)d.PN.8....2.'[...7..At#.*jq....i.......c8J!X...!>z.|....8p..].rK....<.3S...7..8.3.........&..2p.<......>.:..&e.0...X"..|=.."r!U...h..F..7.D....0D.......h.......Ce...B..S".[.E.s..@.......,...I9.....f.....Y......9..L)'F.(W...C.<.+>.Yw...D8j.....-b..*Tq.u.\F\1...%.J)...C.....kF\..Dr.@..P..9.9.]f.UC..1.@#.1..#.+....).0.k....Vi(...m....b....[p...V\..AQ.W.qX.8.E1y...3.v^e..e.IH.f.KY

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive400.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 64 x 48
                    Category:dropped
                    Size (bytes):1518
                    Entropy (8bit):7.703869585509242
                    Encrypted:false
                    SSDEEP:24:D0OQ1b8Qo9wexOlkeQbyOUv+7vYD9V/dbCNaBrsAvhdt1F+wjiGReEWoBTAJ1Ag:D0OQ1b89SeYk7jZ7vYBx8KrdXF7xLWCe
                    MD5:DD68AEC7C38205F42B3DE0406C3FA7D8
                    SHA1:DCAAD72911561C0FC408E089521F351673A90348
                    SHA-256:827D5B0303DFC414B9D2D389747E90475123F05580389583BC398CBDF399A3D0
                    SHA-512:E12764AC172EE23A9270FF998FDA6520D7E8AA851EDDFD322816066B7FFCFE536AC57D19B0168E4697B176B633F3FF43A9914C3DF5991A0CF04F1651886DF99A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a@.0........................#. $!!!!%+'((---'-3.3:54317>69=:<>39B=>@?@BBBBDGMEIMKLMEJRUUUQYddddkkjhnvqqqo..{..v..y..}..}..|...........................................................................................................................................................................................................................................................!.......!..NETSCAPE2.0.....,....@.0.....s...............................ege........g.p...........sp.g....................o.6p...........os....7.......lqqnij.ibbhb^..X.%K.*U.Py.d..%G".!2dH.&..0.#..:9r....?~_.d.h.e.+M.(D.p..#8-......I....-....J...%.K+/.*\B.&N.;y...q.]#.........[JmR..U#.Y{J...G8a..W.K.,a.T.*.&.F.....W...qstl..b.......*V.>..D....$..H..9y-.C......x...&.:.f..yNH{$.-...........$ao....vL.."e......(e...R...;.`|.}...z!...AP.P..Y<A.{.i..|.F.k#!eYYq...<Q.0..a\.VN..Zqx.....aA......=TA.....P...!~i|.E..D.. .D.@.m..A.8....I..."...^I.|....D.@.]..[.r....p.C.^_..A....../

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\images\isort\UpArrowSortInactive50.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 8 x 6
                    Category:dropped
                    Size (bytes):290
                    Entropy (8bit):5.878594331454578
                    Encrypted:false
                    SSDEEP:6:CP/Y/dfiLLHT3vgfuE5gcahJl2Ml/Jlb0KmOn:C4YDcSJNKWn
                    MD5:36142E14306355F6A9E2D7080EC33D6D
                    SHA1:AF86312F1CFE620133D82454CC2913570E5E681B
                    SHA-256:8AFE3BE452D9DB1C61CAB59DEF992BEC40E3A99A2A12078382D7B3415DB5C821
                    SHA-512:266FC0EDC76804F87D444D4BB86A5781ADF2744590C736645B650839C1932E824A25E5DBADCE42BDB7D077EB2CA7F5798A937663229859F02ED9E7692BF6D27A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......w..........................................................................................................................................................................................!.......!..NETSCAPE2.0.....,..........,@W....X..b.Y$."S.u.l..T.R.......h....". ... .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (352), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9177
                    Entropy (8bit):5.254155671733792
                    Encrypted:false
                    SSDEEP:192:XchUv6yPoA1UFkq+3+PGFIs5IGzZmsShbpdaHv7pHWOlBLjz1n:XcKoA1ikH3+PGFIsdzZ+hbpkHVH7p1n
                    MD5:0111ACEA48694E15F883155CE616F5F9
                    SHA1:0281E27CCA22D82E34C47D0E8B331AFD952B50D1
                    SHA-256:E44D367005EE4626A76C11F0BBD88B435894C49B121CADF73D914055A4D8AB2C
                    SHA-512:F1006DAADCABFC1FA41102BF01C8D83D4A8A29FDF0FE50BC71102CAE94C5CB4D2F0213071F670F91A6B90CEC1A39A14850D0720729121222AA614B4E7C2CB8F6
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hlavn\u00ED sestava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "P\u0159echod na prvn\u00ED str\u00E1nku";..var L_bobj_crv_PrevPage = "P\u0159echod na p\u0159edchoz\u00ED str\u00E1nku";..var L_bobj_crv_NextPage = "P\u0159echod na dal\u0161\u00ED str\u00E1nku";..var L_bobj_crv_LastPage = "P\u0159echod na posledn\u00ED str\u00E1nku";..var L_bobj_crv_ParamPanel = "Panel parametr\u016F";..var L_bobj_crv_Parameters = "Parametry";..var L_bobj_crv_GroupTree = "Strom skupiny";..var L_bobj_crv_DrillUp = "Zav\u0159\u00EDt podrobn\u00E9 zobrazen\u00ED";..var L_bobj_crv_Refresh = "Obnovit sestavu";..var L_bobj_crv_Zoom = "P\u0159ibl\u00ED\u017Eit/odd\u00E1lit";..var L_bobj_crv_PageNav = "Navigace str\u00E1nky";..var L_bobj_crv_SelectPage = "P\u0159ej\u00EDt na str\u00E1nku";..var L_bobj_crv_SearchText = "Vyhledat text";..var L_bobj_crv_Export = "Exportovat tuto sestavu";..var L_bobj_crv_Pr

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):7937
                    Entropy (8bit):5.158952087234029
                    Encrypted:false
                    SSDEEP:192:+732RiYXJ9r6lC7DljsykcJAXj613N1i1a9giGeh5MHoJswIzhsyR0:+7mRHzr647DljsyjAed1i1OBzMaazX0
                    MD5:06A7597FE857112C336958F8F3548180
                    SHA1:C12D8B16934F712D3199C84717D79DBEA1DA5464
                    SHA-256:58C8636B61717A26D08E54B25A68C6672E2B6B9576E60827A8D8E8431B13C314
                    SHA-512:AEF4C6FF2B0E8961EE2B20D1401BD6E9BE7B4FCA3B2370D69C9AD4E5E1364C0DB799140E3A0B0278F04606F8D4DCDC64E65806BC4B72BCFC7E7D0E4929EBFE33
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til n\u00E6ste side";..var L_bobj_crv_LastPage = "G\u00E5 til sidste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Gruppetr\u00E6";..var L_bobj_crv_DrillUp = "Analyser stigende";..var L_bobj_crv_Refresh = "Opdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigation";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8g efter tekst";..var L_bobj_crv_Export = "Eksporter denne rapport";..var L_bobj_crv_Print = "Udskriv denne rapport";..var L_bobj_crv_TabList = "Faneliste";..var L_bobj_crv_Close = "Luk";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8417
                    Entropy (8bit):5.171262518673541
                    Encrypted:false
                    SSDEEP:192:VSfzv/SSmfVIgyyKkL5/CNCg3Mf6L5ZDmD0ujV4NCEg5sm4IC+uyvxu:Vsv/6+gyy5dw5RmVjV0Pg7Vc
                    MD5:C79FC661511A86FD88EC452F6458F3C1
                    SHA1:65A01F2C5ADD3500808EC507026C9043EBDB524A
                    SHA-256:0AE409D067B3265D315E6B4F94DF70E29F1D94D2F9EBD35547150810874D3831
                    SHA-512:E51D2A6D2562DD7838011F190DFD6912E046AEBDF87C06DEB74A7B7AD601C3C7224E88E16B00BC7B6644626AF08CBB363602A27CC08FE094E8AAF5310D06BD2B
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hauptbericht";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Zur ersten Seite";..var L_bobj_crv_PrevPage = "Zur vorherigen Seite";..var L_bobj_crv_NextPage = "Zur n\u00E4chsten Seite";..var L_bobj_crv_LastPage = "Zur letzten Seite";..var L_bobj_crv_ParamPanel = "Parameterbereich";..var L_bobj_crv_Parameters = "Parameter";..var L_bobj_crv_GroupTree = "Gruppenstruktur";..var L_bobj_crv_DrillUp = "Drillup";..var L_bobj_crv_Refresh = "Bericht regenerieren";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Seitennavigation";..var L_bobj_crv_SelectPage = "Gehe zu Seite";..var L_bobj_crv_SearchText = "Nach Text suchen";..var L_bobj_crv_Export = "Diesen Bericht exportieren";..var L_bobj_crv_Print = "Diesen Bericht drucken";..var L_bobj_crv_TabList = "Tabulatorliste";..var L_bobj_crv_Close = "Schlie\u00DFen";..var L_bobj_crv_Logo= "Business Objects-Logo";..var L_bobj_crv_FileMenu

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (351), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8652
                    Entropy (8bit):5.115023189868015
                    Encrypted:false
                    SSDEEP:192:h2CLDxYvwOe5GD0e9lIF3Y/4wBVaDBV/wbz1DrKaNw:h2exe25G4e9lI1YwwBVaDBVIbVK4w
                    MD5:50AE6C6DEF50A686C1FA3169DFA17640
                    SHA1:3EC0FC09A2505D7C121E1783E0C939C34B16E70F
                    SHA-256:6517643EF966D42AE9E1A74155EAF164D347971E386DFE8ADA79DB9B175D20AE
                    SHA-512:9E1CFFD29ACB738BCEA5A09158CD49746F7CC4C74CDF45B0C9FE129EFCBFDFE9EF4F6B18EA112F7482F9D30C7947DEB13B097ECA2392CE0D28B6F4488F30F76D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Rapport principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Aller \u00E0 la premi\u00E8re page";..var L_bobj_crv_PrevPage = "Aller \u00E0 la page pr\u00E9c\u00E9dente";..var L_bobj_crv_NextPage = "Aller \u00E0 la page suivante";..var L_bobj_crv_LastPage = "Aller \u00E0 la derni\u00E8re page";..var L_bobj_crv_ParamPanel = "Panneau des param\u00E8tres";..var L_bobj_crv_Parameters = "Param\u00E8tres";..var L_bobj_crv_GroupTree = "Arborescence des groupes";..var L_bobj_crv_DrillUp = "Explorer en arri\u00E8re";..var L_bobj_crv_Refresh = "Actualiser le rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigation dans les pages";..var L_bobj_crv_SelectPage = "Aller \u00E0 la page";..var L_bobj_crv_SearchText = "Rechercher le texte";..var L_bobj_crv_Export = "Exporter le rapport";..var L_bobj_crv_Print = "Imprimer le rapport";..var L_bobj_crv_TabList = "Liste des o

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_it.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (338), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8036
                    Entropy (8bit):5.02919334013281
                    Encrypted:false
                    SSDEEP:192:713CCOrm7FAibpwiGXtDo3kOQMDa55Zobrh+ZRjPn:71bOrmX1wDXUO5obURT
                    MD5:786073F9414E3443C041589CD67851BA
                    SHA1:F51B8CF26CF08DA3FD72681D56A42A95B938843D
                    SHA-256:917105C0867D029B2BFE5B209692D334190C960E51128330EB9EC8F4597F0A64
                    SHA-512:109B8580BDA1C61088AC9F182804CCBF50DCF1993EBFC91E589BF1C83D2F16104607AA8E1E2C38BAF585A96372C16C4447D711E0B23EB0AD0E5BE21F8EEC44C3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Report principale";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Vai alla prima pagina";..var L_bobj_crv_PrevPage = "Vai alla pagina precedente";..var L_bobj_crv_NextPage = "Vai alla pagina successiva";..var L_bobj_crv_LastPage = "Vai all\'ultima pagina";..var L_bobj_crv_ParamPanel = "Pannello parametri";..var L_bobj_crv_Parameters = "Parametri";..var L_bobj_crv_GroupTree = "Albero dei gruppi";..var L_bobj_crv_DrillUp = "Drill Up";..var L_bobj_crv_Refresh = "Aggiorna report";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Navigazione pagine";..var L_bobj_crv_SelectPage = "Vai alla pagina";..var L_bobj_crv_SearchText = "Cerca testo";..var L_bobj_crv_Export = "Esporta questo report";..var L_bobj_crv_Print = "Stampa questo report";..var L_bobj_crv_TabList = "Elenco tabulazioni";..var L_bobj_crv_Close = "Chiudi";..var L_bobj_crv_Logo= "Logo Business Objects";..var L_bobj_

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (373), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8559
                    Entropy (8bit):5.116137877008578
                    Encrypted:false
                    SSDEEP:96:W7ZoI9KV0ZBz2bicBHI1b157D7IQ/pk9Ev6E4gKCP88+mmkWnV3DcDuaDB9cPfst:wqRsNbaPcDBzE++dCI6mjjMgeYm9E/u
                    MD5:A0FB47B02F12600500331CF35E28053B
                    SHA1:A9D907630F6C067FEF0C11919D7917A5A23D1D89
                    SHA-256:FDA73A91E7039F8ABD5FC32F1B4B2B182DB9D3C24097FFAF48570167B1D60045
                    SHA-512:A9FFFCE058191671D4268820311C6AC75C9454719459F0A917A0FF976B8B903F79FE80AE3C8954B3C355F47B828624314C2BE24213CA230AF8F2FC72C3E1A0D5
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Relat\u00F3rio Principal";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ir para a Primeira P\u00E1gina";..var L_bobj_crv_PrevPage = "Ir para a P\u00E1gina Anterior";..var L_bobj_crv_NextPage = "Ir para a Pr\u00F3xima P\u00E1gina";..var L_bobj_crv_LastPage = "Ir para a \u00DAltima P\u00E1gina";..var L_bobj_crv_ParamPanel = "Painel de par\u00E2metros";..var L_bobj_crv_Parameters = "Par\u00E2metros";..var L_bobj_crv_GroupTree = "\u00C1rvore de Grupos";..var L_bobj_crv_DrillUp = "Pesquisar";..var L_bobj_crv_Refresh = "Atualizar Relat\u00F3rio";..var L_bobj_crv_Zoom = "Aplicar Zoom";..var L_bobj_crv_PageNav = "Navega\u00E7\u00E3o da p\u00E1gina";..var L_bobj_crv_SelectPage = "Ir para a P\u00E1gina";..var L_bobj_crv_SearchText = "Procurar texto";..var L_bobj_crv_Export = "Exportar este relat\u00F3rio";..var L_bobj_crv_Print = "Imprimir este relat\u00F3rio";..var L_bobj_crv_TabList = "L

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_tr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (421), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9264
                    Entropy (8bit):5.241311418368176
                    Encrypted:false
                    SSDEEP:192:a2OYyOjd494xsHbKhWlXtCCp4XT+mszsUjX7y76eFbQvUyhh:aLYyOh494WOhQN6XCmszscQFYh
                    MD5:887FD76CEA58F99369E98EF6FF707F17
                    SHA1:3260D90345C7615DEAAB6334FC8FA8C9F6C0EC73
                    SHA-256:EE1623B9892139943AC2513C2D83D0A41B4217EF89E87866558E6EDCDBDDAC41
                    SHA-512:1AA99222C47E8A65A5803B68919BBC1E41D9D7733FF558DCB77978E99FCDCD30DAD12EE19230C3E6B0AFE784A2CFF2FED30DDA70780D1774F86751DF13A115C9
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Ana Rapor";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0130lk Sayfaya Git";..var L_bobj_crv_PrevPage = "\u00D6nceki Sayfaya Git";..var L_bobj_crv_NextPage = "Sonraki Sayfaya Git";..var L_bobj_crv_LastPage = "Son Sayfaya Git";..var L_bobj_crv_ParamPanel = "Parametre Paneli";..var L_bobj_crv_Parameters = "Parametreler";..var L_bobj_crv_GroupTree = "Grup A\u011Fac\u0131";..var L_bobj_crv_DrillUp = "Ayr\u0131nt\u0131 Seviyesini Azalt";..var L_bobj_crv_Refresh = "Raporu Yenile";..var L_bobj_crv_Zoom = "Yak\u0131nla\u015Ft\u0131r";..var L_bobj_crv_PageNav = "Sayfada Gezinme";..var L_bobj_crv_SelectPage = "Sayfaya Git";..var L_bobj_crv_SearchText = "Metni ara";..var L_bobj_crv_Export = "Bu raporu d\u0131\u015Fa aktar";..var L_bobj_crv_Print = "Bu raporu yazd\u0131r";..var L_bobj_crv_TabList = "Sekme listesi";..var L_bobj_crv_Close = "Kapat";..var L_bobj_crv_Logo= "Business Objects

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\crviewer\strings_zh_TW.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (485), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9970
                    Entropy (8bit):5.265819979799443
                    Encrypted:false
                    SSDEEP:96:WrZRylKK/e9lR/l18Fj7m7K621CqAU/iXn9tv6qb7kZeB13fyR15S/lQEaeRHU9J:EfI714upndNKE56/0KdJwX2cmP/I
                    MD5:2DCDF40785AF95CC026ECCA678971DF4
                    SHA1:39CD67F61F51F00C3252A31A054A7A2B8EFD730F
                    SHA-256:79FD470ABFBC48D2A86CE9DB081E5B2A59593557C2824C025D6E22729BE5C1E7
                    SHA-512:8019FE0D6CE40DBE05D3A8524AE6D892EC80DEE76580861A6957DF44CD660DD034B79E898FE9B2782242CA5BBB8841E8BC0757A031376F1CA8E1C5BC437555C9
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u4E3B\u5831\u8868";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u79FB\u81F3\u7B2C\u4E00\u9801";..var L_bobj_crv_PrevPage = "\u79FB\u81F3\u4E0A\u4E00\u9801";..var L_bobj_crv_NextPage = "\u79FB\u81F3\u4E0B\u4E00\u9801";..var L_bobj_crv_LastPage = "\u79FB\u81F3\u6700\u5F8C\u4E00\u9801";..var L_bobj_crv_ParamPanel = "\u53C3\u6578\u9762\u677F";..var L_bobj_crv_Parameters = "\u53C3\u6578";..var L_bobj_crv_GroupTree = "\u7FA4\u7D44\u6A39\u72C0\u7D50\u69CB";..var L_bobj_crv_DrillUp = "\u5F80\u4E0A\u947D\u53D6";..var L_bobj_crv_Refresh = "\u91CD\u65B0\u6574\u7406\u5831\u8868";..var L_bobj_crv_Zoom = "\u7E2E\u653E";..var L_bobj_crv_PageNav = "\u9801\u9762\u5C0E\u89BD";..var L_bobj_crv_SelectPage = "\u79FB\u81F3\u9801\u9762";..var L_bobj_crv_SearchText = "\u641C\u5C0B\u6587\u5B57";..var L_bobj_crv_Export = "\u532F\u51FA\u9019\u4EFD\u5831\u8868";..var L_bobj_crv_Print = "\u5217\u5370\u901

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\cs\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4701
                    Entropy (8bit):5.4486485530083115
                    Encrypted:false
                    SSDEEP:96:G9ZQE+1yTmKzQ/201amE5RsMh2qfpl0LJmvYPj2PtLr0/pWH6zw7QQ2Y:GTMIAAsMh170LeEK
                    MD5:FE9DF0FDAB43BD00C16EA76A89FCC644
                    SHA1:DD19AD6771B2CFE6CED4A9A4BAF328347E8C7657
                    SHA-256:ADD334F245DC39B1007E48A7D23D570F884418D449138FBCF969EC721603560D
                    SHA-512:B6568336E41978B1B96D78DEECEF2B83700FCABADC37D5F789B3AEBFBF2A3EAB9B71A0F86F6EE38E0EB497052AFC700FC3421C3B069034049FFFE3FDF2726D8E
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="V.choz.".._black=".ern.".._brown="Hn.d.".._oliveGreen="Olivov. zelen.".._darkGreen="Tmav. zelen.".._darkTeal="Tmav. .edozelen.".._navyBlue="N.mo.nick. modr.".._indigo="Indigov. mod.".._darkGray="Tmav. .ed.".._darkRed="Tmav. .erven.".._orange="Oran.ov.".._darkYellow="Tmav. .lut.".._green="Zelen.".._teal="Modrozelen.".._blue="Modr.".._blueGray="Modro.ed.".._mediumGray="St.edn. .ed.".._re

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\da\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4248
                    Entropy (8bit):5.260215839309549
                    Encrypted:false
                    SSDEEP:96:G9Fu2A0WRrV1iDadY6YLa/S2wacdYHbiVP5r0aCs1ZnUzH8KnZaJ:GzntOdY6YLa2aci7iFOlLo
                    MD5:F83AC982420A7FF09B1498D5F0B766B9
                    SHA1:8FF7163D3C040DD32AE233FD3446785B152C3C5D
                    SHA-256:0E82F5850BD1D58A6C39EFEBE0024B195DD016EA578CB458497313D924F399B6
                    SHA-512:A38D880875DD07963640017797F86419CD38D50560306AD71E18F65628D578CAF8F910FA2E980314A7A25A0A3DB4D0572BAB812708510D9B2CEE615B47ECDDFD
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Sort".._brown="Brun".._oliveGreen="Olivengr.n".._darkGreen="M.rkegr.n".._darkTeal="Dybbl.".._navyBlue="Marinebl.".._indigo="Indigo".._darkGray="M.rkegr.".._darkRed="M.rker.d".._orange="Orange".._darkYellow="M.rkegul".._green="Gr.n".._teal="Bl.gr.n".._blue="Bl.".._blueGray="Bl.gr.".._mediumGray="Mellemgr.".._red="R.d".._lightOrange="Lys orange".._lime="Lime".._seaGreen="Havgr.n".._aqua="

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\de\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4491
                    Entropy (8bit):5.241359084965623
                    Encrypted:false
                    SSDEEP:96:G9Xo7NkAmxAP+sgRcU+I4K+24bmB3t8KzHRdl3irIo0rWPyAyCbqTr0rGSOyK5Ep:GBeNRM+LK+tbmB3t8ol3irIoaWPyAy2l
                    MD5:1D8DF9198C60C6F13486341D8902EC6A
                    SHA1:B663989F7487BB87AAB643FFAD44A3B6DD3DE777
                    SHA-256:CE963CD47DE128CDEBC684AA705FDB09FB18A44E520F8C6436D35C481F736579
                    SHA-512:A3D4A7F4FCD47C86E198BF201DDE7C3A0C7139CE694E6EF95F30A6D1AE5D0212E698CE0C40951C989B9F5B64D5678998F3D8329065D215100417AB71175CA598
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Schwarz".._brown="Braun".._oliveGreen="Olivgr.n".._darkGreen="Dunkelgr.n".._darkTeal="Dunkelblaugr.n".._navyBlue="Marineblau".._indigo="Indigoblau".._darkGray="Dunkelgrau".._darkRed="Dunkelrot".._orange="Orange".._darkYellow="Dunkelgelb".._green="Gr.n".._teal="Blaugr.n".._blue="Blau".._blueGray="Blaugrau".._mediumGray="Mittelgrau".._red="Rot".._lightOrange="Hellorange".._lime="Gelbgr.n".._seaGreen="

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\fr\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4624
                    Entropy (8bit):5.240250287221391
                    Encrypted:false
                    SSDEEP:96:G9hV106734Jo/mRjcibS1yNMWzU/SlmAwW5cHrIGoL/Grr0DNsnZRUJ1whjB:GDP06734k1QnAomAwWOHrINKkW
                    MD5:C833053C7D0AC82290794584411E7FB6
                    SHA1:678C31FC1F8694CCACBF49901E2C3FFE701D5C14
                    SHA-256:9FD99F45ED02558090E943C4778186CEABF427EBE5ACD9115ED3011B2D242019
                    SHA-512:4FD3B183A9D170F2673DAAA27F41CAF01CEDC5022742D6A583002B017927307791D800F2379E8EDD14BF88193FFD2CABFC5B846565BBE652AA8C5183D745470A
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Par d.faut".._black="Noir".._brown="Marron".._oliveGreen="Vert olive".._darkGreen="Vert fonc.".._darkTeal="Bleu-vert fonc.".._navyBlue="Bleu marine".._indigo="Indigo".._darkGray="Gris fonc.".._darkRed="Rouge fonc.".._orange="Orange".._darkYellow="Jaune fonc.".._green="Vert".._teal="Bleu-vert".._blue="Bleu".._blueGray="Bleu-gris".._mediumGray="Gris moyen".._red="Rouge".._lightOrange="Orange clair".._lime="Citron vert".

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\it\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4456
                    Entropy (8bit):5.138010055781103
                    Encrypted:false
                    SSDEEP:96:G9D/zUTnYzgeIBGiuxTRzZfF7aC1W4t9F7wFr0hU1ipJPH8sLo+PuFxCxZ:GhbUuiu9R1Fa4W4t4CJHPc6jPq8
                    MD5:D4788D7E4ED29080144E7926E048E8C9
                    SHA1:649522BFE48DA16E712BA01D396870BCCD00C1C4
                    SHA-256:FDC80075F7258F905C5BCAB1FDD601B0B45F8805B6D0887B30C8777BC04BE5BE
                    SHA-512:57F709B755FE7A383374B85A81C948C2FB57367C71FD3844BC670E1667A2D6BFB79C48BBBB13A19A95AB8D0F288FB68633B139C89AA2BE64F0F6791085890DEC
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Predefinito".._black="Nero".._brown="Marrone".._oliveGreen="Verde oliva".._darkGreen="Verde scuro".._darkTeal="Verde petrolio scuro".._navyBlue="Blu marino".._indigo="Indaco".._darkGray="Grigio scuro".._darkRed="Rosso scuro".._orange="Arancio".._darkYellow="Giallo scuro".._green="Verde".._teal="Verde petrolio".._blue="Blu".._blueGray="Blu grigio".._mediumGray="Grigio intermedio".._red="Rosso".._lightOrange="Arancio chiaro".

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\pt\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4481
                    Entropy (8bit):5.235192750427726
                    Encrypted:false
                    SSDEEP:96:G9qEZ8nEszAyWViWYTj5zbwtn/EEEIRlCuK555WSdAr07EeCT0AOZF7ab5Z8BBZp:GA+xU5Pwtn/EEEslCrWGR7FK/Obelm3D
                    MD5:22EE8394DFBD0750456741338BA7D559
                    SHA1:4021C0811640AF1D85E836DFE383623246D7EE50
                    SHA-256:52C037109F18A52C2D5C4A960C7F0F2F3E417795AC3808ED617BD135E9DAAA77
                    SHA-512:D4B2277C8E3AB5995F07A7089BF80A2C0736DEC748FFA471392D3D01018083D339FE92EF413F3BEB3A975118F78AD8A078CDDB4BE361938F49B0FE8861CF6490
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Padr.o".._black="Preto".._brown="Marrom".._oliveGreen="Verde-oliva".._darkGreen="Verde Escuro".._darkTeal="Azul-petr.leo Escuro".._navyBlue="Azul-marinho".._indigo=".ndigo".._darkGray="Cinza Escuro".._darkRed="Vermelho Escuro".._orange="Laranja".._darkYellow="Amarelo Escuro".._green="Verde".._teal="Azul-petr.leo".._blue="Azul".._blueGray="Cinza Azulado".._mediumGray="Cinza M.dio".._red="Vermelho".._lightOrange="Laranja

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\tr\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4452
                    Entropy (8bit):5.406343070018942
                    Encrypted:false
                    SSDEEP:96:G9C2ItcBy7s8RMkGJFRu4HMxzdz2JEYqJtXnbYjB9p0KjE9NIb1r0v8crRy+FY4X:G02AQXFRvURqGY+bYjXay8IuF
                    MD5:A93FD16C863D6DF5BE0E7D81B052326D
                    SHA1:1D72359BE27C82FBF999A73D0D1EC60DCEE2A69C
                    SHA-256:8A1E7B99883EBC8FC38777E099468A6A22D2A45EE7AE719D6660304CE93ABA74
                    SHA-512:4FD65DC1E29071ABCC57B54EB23AA679037BF37415162E73FA4C3588E3415EC08F09194AAEF272E851B79D67CA2272226185368D80F219C1ED4C51C41BEB5612
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Varsay.lan".._black="Siyah".._brown="Kahverengi".._oliveGreen="Zeytin Ye.ili".._darkGreen="Koyu Ye.il".._darkTeal="Koyu Deniz Mavisi".._navyBlue="Lacivert".._indigo=".ivit Mavi".._darkGray="Koyu Gri".._darkRed="Koyu K.rm.z.".._orange="Turuncu".._darkYellow="Koyu Sar.".._green="Ye.il".._teal="Cam G.be.i".._blue="Mavi".._blueGray="Mavimsi Gri".._mediumGray="Orta Gri".._red="K.rm.z.".._lightOrange="A..k Turuncu

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\dhtmllib\language\zh_TW\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4260
                    Entropy (8bit):6.037094847183698
                    Encrypted:false
                    SSDEEP:96:G9y/dTeU0Dtdv7YJbYNJoeFY3uFA5n+yj/9X906bPr0GaYGcVcec/cMcJctmIm:Go/B56abeaeFY3uA+yD9eMQK
                    MD5:308CE574305843761E97198CCDC3AB9A
                    SHA1:BE862BF000D1B419439D9E6D86ADC9CF6C7B0526
                    SHA-256:8AE9A42C1620CB0C3FF13493292D71EDD4FDAD12D44F37A2C0FE8B0E7868520B
                    SHA-512:B81F0D5ADEDAE568FEB20D165FC5271EBE3A34F8CE01BC0808ACC4979D0BC339E69E721EAFDE3A20AA0018843548C636F843DF9D5D2889724081A3BFB1FAE2DB
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="..".._black="..".._brown="..".._oliveGreen="...".._darkGreen="....".._darkTeal="...".._navyBlue="...".._indigo="...".._darkGray="...".._darkRed="...".._orange="..".._darkYellow="...".._green="..".._teal="...".._blue="..".._blueGray="...".._mediumGray="...".._red="..".._lightOrange="...".._lime="...".._seaGreen="..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\main.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):3360
                    Entropy (8bit):5.054525523128318
                    Encrypted:false
                    SSDEEP:96:U/nJvgGUjfg/WGzDz650Km9pDwnSB/Fv+qyUZnXL/8:CJvSfoz6fepxRL8
                    MD5:6A3DCF7BCD4DD2201C199C8738CAF292
                    SHA1:C55800B0FA53E44F6A1FE9EDDA25D9E8DC3384C6
                    SHA-256:29F04B58E51C9A5D00FDD11DE0B6FBA62D80BD7949B92CD0EEA7830A8A7A848A
                    SHA-512:DE76AD13E3CB4B0002F4584C564A99D8FD253F763763A0EDAF6C7ADF0FF7D23F3B240C454B014AB2F107164DD29C38C4433B2E8AA156624E5DD8C2012887C586
                    Malicious:false
                    Reputation:low
                    Preview:body {...font-family: Verdana, Arial, Helvetica, Sans-serif;...font-size: 75%;...color: black;...background-color: #eeeeee;...text-align: center;...padding: 0px;...margin: 0px;..}....div#container {...width: 770px;...text-align: left;...line-height: 150%;...border-width: 0px 1px 1px 1px;...border-color: #cccccc;...border-style: solid;...background-color: white;...color: black;...padding: 10px;...margin: 0px auto 10px auto;..}....div#header {...margin: 0px;...border-bottom: solid #cccccc 1px;..}....div#header h1 {...font-family: Courier New, Courier, Monospace, Serif;...padding: 10px 0px;...margin: 0px;...font-size: 200%;...font-weight: bold;...text-align: right;..}....div#header h1 a {...color: black;..}....div#nav {...float: right;...font-size: 91.66%;...font-weight: bold;...padding-top: 5px;..}....div#container.nonav div#content {...float: none;...width: auto;..}....*.externallinkinfo {...float: right;...font-style: italic;..}....div#content h1 {...padding: 5px 3px;...margin: 5px 0px

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\parameterUIController-compressed.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (46010), with no line terminators
                    Category:dropped
                    Size (bytes):46010
                    Entropy (8bit):5.385604948780043
                    Encrypted:false
                    SSDEEP:768:XIeYspy9i1anbUwL7s4H9OCxm1lNSXimSr2cAJO+tqO2N5qM9Peot5TAzQ6UJYab:7yi1a975dOCxm8XimSrPYwvq2eot5T02
                    MD5:991937A66D57293ECECF969FDD129EFD
                    SHA1:4A99FF9C43967C4902E3ACA9AABCB7FCA6DB9AA6
                    SHA-256:E21553185E6A3B7D4DD744DE7B2A66FBA83DFB79D12C1B6430F82D4930831A30
                    SHA-512:A7A16E090B7D692DB8AF1C7C61B6DA6DD2892B26E96A002846A66E584B8072AD16C21C488742A0E33A33FA40FE51563F8282EFD91250B059119BF51768F63514
                    Malicious:false
                    Reputation:low
                    Preview:if(typeof bobj=="undefined"){bobj={}}bobj.Colors={BLACK:"#000000",GRAY:"#a5a5a5"};bobj.crv.params.newTextField=function(A){A=MochiKit.Base.update({id:bobj.uniqueId(),cleanValue:"",width:"100%",maxChar:null,tooltip:null,disabled:false,editable:true,password:false,focusCB:null,blurCB:null,changeCB:null,keyUpCB:null,enterCB:null,foreColor:"black",isTextItalic:false,canOpenAdvDialog:false},A);var B=newTextFieldWidget(A.id,A.changeCB,A.maxChar,A.keyUpCB,A.enterCB,true,A.tooltip,null,A.focusCB,A.blurCB);B.widgetType="TextField";bobj.fillIn(B,A);B.disabled=A.disabled;B.width=A.width;MochiKit.Base.update(B,bobj.crv.params.TextField);if(A.cleanValue){B.setValue(A.cleanValue)}return B};bobj.crv.params.TextField={setForeColor:function(A){this.foreColor=A;if(this.css){this.css.color=A}},setTextItalic:function(A){this.isTextItalic=A;if(this.css){this.css.fontStyle=A?"italic":""}},setTabDisabled:function(A){bobj.disableTabbingKey(this.layer,A)},eraseHelpTxt:MochiKit.Base.noop,getHTML:function(){var

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\processindicator.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):100319
                    Entropy (8bit):5.489167560870413
                    Encrypted:false
                    SSDEEP:3072:o/qQ9QqU5/Zt8QSGcPVr2ndEiqwvfUsMI944RvKxzBFOvP:A9QqU5/ZXSoTw1i
                    MD5:F8593F94DA68C47584227CE530F13244
                    SHA1:667D308CD8DF956D3CF93904AB8A1712CF617BB6
                    SHA-256:3F9626FF76AAA65E7238D54C88EE5C3B795DD8688EFAADF63BDBE829C00AEA4B
                    SHA-512:388CAF14CACBB5E55D8A49AEE7B6C9E523FB00DF3C4D199196C4F0A4E341F7A379BFCB72C87414D820F4B1D56542CDD7D6E89B6204E0C6FE16366CBBB58C906C
                    Malicious:false
                    Reputation:low
                    Preview:if(typeof (dojo)!="undefined"){dojo.provide("MochiKit.Base")}if(typeof (MochiKit)=="undefined"){MochiKit={}}if(typeof (MochiKit.Base)=="undefined"){MochiKit.Base={}}MochiKit.Base.VERSION="1.4";MochiKit.Base.NAME="MochiKit.Base";MochiKit.Base.update=function(B,D){if(B===null){B={}}for(var C=1;C<arguments.length;C++){var E=arguments[C];if(typeof (E)!="undefined"&&E!==null){for(var A in E){B[A]=E[A]}}}return B};MochiKit.Base.update(MochiKit.Base,{__repr__:function(){return"["+this.NAME+" "+this.VERSION+"]"},toString:function(){return this.__repr__()},camelize:function(B){var A=B.split("-");var D=A[0];for(var C=1;C<A.length;C++){D+=A[C].charAt(0).toUpperCase()+A[C].substring(1)}return D},counter:function(A){if(arguments.length===0){A=1}return function(){return A++}},clone:function(B){var A=arguments.callee;if(arguments.length==1){A.prototype=B;return new A()}},extend:function(B,E,D){if(!D){D=0}if(E){var A=E.length;if(typeof (A)!="number"){if(typeof (MochiKit.Iter)!="undefined"){E=MochiKit.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\promptengine-compressed.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (55701), with no line terminators
                    Category:dropped
                    Size (bytes):55701
                    Entropy (8bit):5.544713312052484
                    Encrypted:false
                    SSDEEP:1536:063/OHsHheiwclNN49nxsxsqzENi4rAnd8Ku:BHheiNfCgzENi4snd85
                    MD5:FED3ED43BA2C164E1F34450C8DEC0001
                    SHA1:A3EB73AFDDA4BBAB9AD8A843BEB1747EE0814743
                    SHA-256:B2B982BF06FFD396E5D7718701872BBB00C7F9BA4FB601E6183EAF54F908F9D9
                    SHA-512:E0FC8E92320364CED043E9B93881C1766CCF96B4864201F1512C87DB40365792686E43F9352141C996E0F24BCF502CD3F850B2BB001D4FC792F392F1FC0CCFDD
                    Malicious:false
                    Reputation:low
                    Preview:var PE_VALUE_DESC_SEPARATOR=" - ";if(typeof (_pe)=="undefined"){_pe=new function(){var A=this;A._ie=(document.all!=null)?true:false;A._dom=(document.getElementById!=null)?true:false;A._isQuirksMode=(document.compatMode!="CSS1Compat");A._moz=A._dom&&!A._ie;A._appVer=navigator.appVersion.toLowerCase();A._mac=(A._appVer.indexOf("macintosh")>=0)||(A._appVer.indexOf("macos")>=0);A._userAgent=navigator.userAgent?navigator.userAgent.toLowerCase():null;A._saf=A._moz&&(A._userAgent.indexOf("safari")>=0);A._ie6=A._ie&&(A._appVer.indexOf("msie 6")>=0);A._root="";A._images=A._root+"/images/";A._prompts=new Array;A._lovBS=1000;A._st="s";A._nm="n";A._cy="c";A._bo="b";A._da="d";A._tm="t";A._dt="dt";_BlockWaitWidgetID="PEBlockWidgetID";A._theLYR=null;A._dlgResize=null;A._widgets=new Array;A.DlgBox_modals=new Array;A.DlgBox_instances=new Array;A.DlgBox_current=null;A._show="visible";A._hide="hidden";A._hand=A._ie?"hand":"pointer";A.init=PE_init;A.canSubmit=PE_canSubmit;A.beginBlocking=PE_beginBlocking;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\css\promptengine2.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:assembler source, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5807
                    Entropy (8bit):5.161668446690974
                    Encrypted:false
                    SSDEEP:96:VHI1IWZIKIHIRsFIiIk7R7+U6UauxuPu8nMuVmjniBhB6/KFF1cghG:9mnZj2qcrPhDnrkG8RVmjni3FcYG
                    MD5:F365D51A805044BCB544DE0CEA3191C3
                    SHA1:B4F9576803012449ACDC98C1CE283AA9687567F6
                    SHA-256:2CC9EC0284316AAE6DE6A11FB398177A8F717E9B5918BFCA9B0B2A8C985A6AC6
                    SHA-512:DDC30E1DA021111AF3B0D50A6C7B7C8CDF27327B6214089097F58364F0BB328403FDD7A6E6067BE87FF6EEB0F91E94799473AE192BA7EDC5B98068DB9497D5CF
                    Malicious:false
                    Reputation:low
                    Preview:.pePromptFieldset..{ .. border: 1px solid;.. border-color: #A3A3BC;.. padding: 0;..}.....peRangeFieldsetLegend..{.. background-color:#E4E4EC;.. color: black;.. font-family: Tahoma, verdana;.. font-size: 8pt;.. font-weight: normal;..}.....pePromptBorder ..{.. border-top: 1px solid #FFFFFF;.. border-bottom: none;.. border-left: none;.. border-right: none; ..}.....pePromptUnitHeader ..{.. background-color: #E4E4EC;.. color: black;.. font-family: Tahoma, verdana;.. font-size: 8pt;.. font-weight: normal; .. border-bottom: 1px solid #A3A3BC;..}.....PEUH2 ..{.. background-color: #E4E4EC;.. color: black;.. font-family: Tahoma, verdana;.. font-size: 8pt;.. font-weight: normal; ..}.....pePromptUnitHeaderTextLeft ..{.. background-color: #E4E4EC;.. color: black;.. font-family: Tahoma, verdana;.. font-size: 8pt;.. font-weight: normal; ..}.....pePromptUnitHeaderTextRight..{.. background-

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\css\promptengine_default.css

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4549
                    Entropy (8bit):5.070717880546164
                    Encrypted:false
                    SSDEEP:96:VOI0IdI6IRsAIpInQmRKlh6ha9R98nM9Q8cSniB2GztDFFkca:YlAVq/aWYnwaH8URcSni5Uca
                    MD5:16D1E51FEDA6E1CD3745655C912741E5
                    SHA1:0D6E2B4F0DDCFA85269C9D7F18CF42E7FC0CEBAB
                    SHA-256:35EE75C77D1613EDF8D997C2CDF36B96B9A78ED174A6B7179770B8934F2FAB51
                    SHA-512:518B2ED8281C7D42AA053F897702254214CF39AAEC218258321517C5A5B0FC99E5EDDA64711570BC10C8743F97AC538B578B24EEDCCB326A2A9C0CB8B5F89D6A
                    Malicious:false
                    Reputation:low
                    Preview:.pePromptFieldset..{ .. border: 1px solid;.. border-color: #A3A3BC;.. padding: 0;..}.....peRangeFieldsetLegend..{.. background-color:#E4E4EC;.. color: black;.. font-family: Arial, verdana;.. font-size: 8pt;.. font-weight: bold;..}.....pePromptBorder ..{.. border-top: 1px solid #FFFFFF;.. border-bottom: none;.. border-left: none;.. border-right: none; ..}.....pePromptUnitHeader ..{.. background-color: #E4E4EC;.. color: black;.. font-family: Arial, verdana;.. font-size: 8pt;.. font-weight: bold; .. border-bottom: 1px solid #A3A3BC;..}.....pePromptUnitHeaderTextLeft ..{.. background-color: #E4E4EC;.. color: black;.. font-family: Arial, verdana;.. font-size: 8pt;.. font-weight: bold; ..}.....pePromptUnitHeaderTextRight..{.. background-color: #E4E4EC;.. color: black;.. font-family: Arial, verdana;.. font-size: 8pt; ..}.....pePromptElement ..{.. background-color: #E4E4EC; ..}.....p

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\html\calendar.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):663
                    Entropy (8bit):5.435157804074417
                    Encrypted:false
                    SSDEEP:12:uafKn7hqC37P4fhmLAQ09bCQmZQXlc2UE8h2ufXorrXNmteOub7Ll:uafNC37ApFQ0bCQTl1PYfXeXNmtejb7J
                    MD5:21EEF93737AE006924C51215BE4453D4
                    SHA1:6CCB5FA490C32099F5BF1B0F8674F5F44384C1E3
                    SHA-256:E6C4AB4B656F3666315E907AF3558638759EBADAC972C8D5F1368010B4B7DE11
                    SHA-512:6AFD9F5C6C70813589754B80423C93B13EB088BC87614AB07DD8D92C68C99D7DDDF9B1681F3FF348BC135D4FBB0C3F431C53D4706316C46D5C7E57A4B03E552D
                    Malicious:false
                    Reputation:low
                    Preview:. saved from url=(0017)http://localhost/ -->..<HTML>..<HEAD>..<META http-equiv=content-type content="text/html; charset=utf-8">.. <TITLE>Business Objects</TITLE>..</HEAD>....<SCRIPT language="JavaScript">.... //newWin = window;.. // USE THE JAVASCRIPT-GENERATED DOCUMENTS (calDocTop, calDocBottom) IN THE FRAMESET.. calDocFrameset =.. "<FRAMESET ROWS='70,*' FRAMEBORDER='0'>\n" +.. " <FRAME NAME='topCalFrame' SRC='calendartop.html' SCROLLING='no'>\n" +.. " <FRAME NAME='bottomCalFrame' SRC='calendarbottom.html' SCROLLING='no'>\n" +.. "</FRAMESET>\n";.... document.write(calDocFrameset);....</SCRIPT>....</HTML>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\html\calendarbottom.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):805
                    Entropy (8bit):4.897353402317076
                    Encrypted:false
                    SSDEEP:24:uafNJX7AptCgxg8qlNEWNgN/H+FqhFRdfLsC8gBpG/NMx:uUNipQgxgDNEWNgNvDbnfVLlx
                    MD5:9D6F9FEC75F709A3D1F8E9298AA6220E
                    SHA1:0F2A04C5F4EDE4346A1D905F4B7EA94830241D0A
                    SHA-256:55D0401FFBADA60C2976CE34595D1FBD4E1BDA179E10B9F1221950230DB2BA40
                    SHA-512:760E164DB8543BF7216F9871DDDACBD26C5252258EA8E7F38F797221C8793C2ED87BA1C16EA73C201C41EAC70F876EDDF2CA0473D6B2F445C1E1C2D100F401B8
                    Malicious:false
                    Reputation:low
                    Preview:. saved from url=(0017)http://localhost/ -->..<html>...<head>....<meta http-equiv=content-type content="text/html; charset=utf-8">...</head>...<body>....<script language="javascript">.....function setHtml().....{......try......{..........document.write(parent.parent.opener.calDocBottom);......}......catch (e)......{.......if (e.number == -2147418111).......{........// this is a 'Call was rejected by callee' exception........// which indicates that OLE Automation timed-out when........// waiting for a response from the process that spawned........// this window. The process is probably busy so delay.. // delay a bit, then try again............setTimeout("setHtml();", 50);.......}......}.....}.......setHtml();....</script>...</body>..</html>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\html\calendartop.html

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):802
                    Entropy (8bit):4.896262822342248
                    Encrypted:false
                    SSDEEP:24:uafNJX7AptCgxg88lNEWNgN/H+FqhFRdfLsC8gBpG/NMx:uUNipQgxgrNEWNgNvDbnfVLlx
                    MD5:65594AA1DA5F13C697B683B802F43F1B
                    SHA1:CBF33969276494AF9204EE23CECF2388683D13B7
                    SHA-256:66E16B27C6637E8609D94940EB24FD770BEB103144D1F976BE3898B33F6C1ADB
                    SHA-512:504203EDFD77C4EC844590D0BB470094F940BE7020F9F2BEE6021DC3BEB891AF5F16EAFD87959768413FB0E3DC4E3A71CBEAD67314C29E03B55A1FEE4FCE56A8
                    Malicious:false
                    Reputation:low
                    Preview:. saved from url=(0017)http://localhost/ -->..<html>...<head>....<meta http-equiv=content-type content="text/html; charset=utf-8">...</head>...<body>....<script language="javascript">.....function setHtml().....{......try......{..........document.write(parent.parent.opener.calDocTop);......}......catch (e)......{.......if (e.number == -2147418111).......{........// this is a 'Call was rejected by callee' exception........// which indicates that OLE Automation timed-out when........// waiting for a response from the process that spawned........// this window. The process is probably busy so delay.. // delay a bit, then try again............setTimeout("setHtml();", 50);.......}......}.....}.......setHtml();....</script>...</body>..</html>..

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\addallfield.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):453
                    Entropy (8bit):6.793874543819161
                    Encrypted:false
                    SSDEEP:6:3ATg7w79m3xHcgaXce1ma+IzSmL0O6GcUcJuK/OXH5v9LqaTs+j7XEVClYtLDz6t:i9Mms4ma+I+9OOB23Ts+3Moaz67Wm+rQ
                    MD5:7A9E2FF9AC8A6C872B65D52C837B140E
                    SHA1:46753C0D109B1906FD54FF0AD29A845085E21D20
                    SHA-256:AC6F644DF3827D8B73ECA164ECA925F1BA8DDFB1EF4EF4963A6731C56BBF5252
                    SHA-512:0219F4B57022B7BEB94548F7EDBB4D56F1D48CF945A3251E9519AC0C5A455AA8693FAEAE2D6D27EE367F2CB8EFEC47232E2D35DED079E61740D280A4F9A208FD
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....:.~~................EDh...........................................................................................................................................................................!.....:.,...........@.`H,..B.`.l:..a@@.Z..tv..&*/x..~.Z@.!jH$.7\.r.E.......1{.|y.........y..........))y......8$.%%$y.#.......6...y...........72..y..............y!............y.........,..y.....4.5.y.....`.@..E..&80P...-..!@........J.!GB.....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\addallfield_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):682
                    Entropy (8bit):5.7899019129139
                    Encrypted:false
                    SSDEEP:12:7gN5+9BJ74NIFg4jUwXc6WnHgmsSm6YQ2aJ4NnVbtR1kZ:7wUUy4wM6WnAUm6YQ2aaVbRkZ
                    MD5:9AE9C5A416F0ECF53E10D95B44BA1FC8
                    SHA1:C5845C02810A186DB19691FA2D30AABBEA467C3E
                    SHA-256:AB14A134B453D8FDB6861E3B2A7F9DAE8C3619BD4C79FDDC5EC105C8122AC610
                    SHA-512:A12A5F68C40E4D5B224ECA8001582AEF30FB44AA1444D9C667228BAD8BC2051E49C27A588B9DA5613F650354F02C549817D9C0F3A9740E7550D0659E7FA43B84
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....@.~~.............EDh..............................................................................................................................................................................................................................................................................................................................................................................!.....@.,............@.......................................","..+""+..,.%%.........4..9/6...5.../........2.....=....<.......;....$.'-$......((..'H...`......p....R#2d...D..!....Qb.R..0P......D^P....R....@...2s. .....30`0.#h..8*. .......h.4...NI!@.....\....A....:.X........k.H .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\addfield.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):452
                    Entropy (8bit):6.905192211941243
                    Encrypted:false
                    SSDEEP:12:LtkNjOz4sNT9ULVxS0TT0XO989X2wa3guB6gVU:LtkFtsNRUBBrwwnpVU
                    MD5:02CDD31E3461BAC8E5F765D2787A9D32
                    SHA1:373F636EE4A0EC370966C60EFE8BAF533C33512F
                    SHA-256:7763BB3FAF91D79EF2E2E60C1F1E508EBEDD80D1ACF4675A9D4DA8B18ADC130E
                    SHA-512:6B56D81F3A47B6F1EC00F6ABD304D97971B8CE68D188211C3C9AFF7D98B40B19FE70AB07C5CA4E3B805A7945A6E7D2D5EC7DAF82E9C16C1A4E6B1B904B5CA8BC
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....:.~~........................................EDh...................................................................................................................................................!.....:.,...........@.`H,..B.`.l:..a@@.Z..Tv..(,/...~.Z@..jL&.7|rs.C........{.|y.........y..........++y...$...$(.))(y.".......0...y........%.%5..y.............y#...........y.........49..y.....1.6.y.....-....".....$\..B.....H...i@`.h%..# .....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\addfield_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):677
                    Entropy (8bit):5.847359879482572
                    Encrypted:false
                    SSDEEP:12:mN5xggGT8jwQLoEObTVTJOPnnf4LPNCWuNfxKbHmKN/n:mNnCTgwQLWxOnnfIPkfan
                    MD5:297F8C17396FDCE7CDE983BE0E6F7E6A
                    SHA1:3C589FE2277EB3A9AF343D9B339C162224FC1902
                    SHA-256:C5191027E7E5F1E303AA1BD032FA27B955314D9FD3D5891C0EAF22E96E399AD1
                    SHA-512:91EF16C6BFC640EC13E73277786A7B03502F7CE8DAACE84D0B8D72E26910CCBD1C903758F723B7009E1D55630DF89FEB0C45493B244AB74DE3CDDFC69FB8615C
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....B.~~..................................EDh.........................................................................................................................................................................................................................................................................................................................................................!.....B.,............B......................................../...+..+../.)).........>..4"9.."A.:.".$$.....3.....@....7...8...?.....%01.(...%..%(0.... ..A..!(.H.D..'8t.......2>.@....#@6`.qA..%...`.....z.lI.....LX`.!...<-.a..)...8.T.R.*.PHJ......`..@.U..d....h..$.[CB....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\back.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):1053
                    Entropy (8bit):3.9877654388055945
                    Encrypted:false
                    SSDEEP:12:btkNjOz4sNT9ULVxS0TT0Xux5GiPEY9ZPgJrk8G8B:btkFtsNRUBzGfAGJrk58B
                    MD5:7F148BAC5F10E702D763DD632ED72686
                    SHA1:C5F978E138F20559942E4646442CB038150A3063
                    SHA-256:98F660E38D2BE92257650B2028E12B1017AD4ABF78B2DACDC8049663CBAC6F64
                    SHA-512:EA2D04A89F44A2CE33DD32F4AF9D5EB93DCF97B9D303EA16B635C96EF8C33334374D9E5900552C44AA9D261F257F4FE762EE1B0CD5596425764C35847B076445
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~........................................EDh...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,...............H.....A.X... ...@.....H.@.../Xt. ......h.bB...'.l .e....X.....?...y...G.V@..(..+ D.:5.....B.."E...P.H. .X.hqjX......D<.+..\..6.(.....:|..0...2d. ....@^.s....<Xv0...q*.. .....8@=:.......#...

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\back_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):1069
                    Entropy (8bit):4.182328075760969
                    Encrypted:false
                    SSDEEP:12:h5xggGT8jwQLoEObTVTJOODJ6iEofzMZ8FsjJR35E:hnCTgwQLWx68zMZ8FuRJE
                    MD5:48AE9D1C04CB737AA4739B1EFD8E38A2
                    SHA1:29D6CD6515EE4C24FD6B3769D0D7E12DD93C033D
                    SHA-256:CB97C3975E867424F8B308C0EF47ACD3EB2622E4ABC13A12B211E50D5085014A
                    SHA-512:7EBFD879D98950873CB2DEAC00E2EAD1F2DAA724998B909927B6303B26D04391C7995CBAD8B1672A64C87368E79770BB87FDC5B9CC56B1DC4EEDBD5C650E1939
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..................................EDh.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,...............H.....?.X.......@.....H...F..;v.(....+6lX..../6\hy.d..>.<.. ...<S. I"...""D.. H..9D. .@...@$Xe`...$....C,..8.TX{C,I.(J.pQ.....b........@.........&.!D...O.`..C..'.. .`...#:.f.z....H.0.....=....z...

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\background_field.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 1 x 18
                    Category:dropped
                    Size (bytes):813
                    Entropy (8bit):0.7079041602422899
                    Encrypted:false
                    SSDEEP:3:CHYjuGSa/txlctVMCGWen:2muGRtgqzWe
                    MD5:4AE5FCF76D2614BF8A47CB16977571B1
                    SHA1:9F62E28AF6F668FDB621338175F01F951D4DCE59
                    SHA-256:47CE185AC67ABD74475886173CE089662438ED148B7EEA07E2ED2D3AFF8A572E
                    SHA-512:1FCE72F56E8BB944565CF48DC892F56953BC2D21F8E4050F1D121BB402ED0929E4B4F38890799D5697D9C045B02FA965DC254C471F0EF6293675B67E03A78525
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,................@......@..!..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\button.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 5 x 189
                    Category:dropped
                    Size (bytes):1344
                    Entropy (8bit):4.902937197308301
                    Encrypted:false
                    SSDEEP:12:qh7YVxx7gGaVrFfbhNsx8jQLnMPRYA6Fkr65SdR7tZE9vyUWGt:27O4GaVhhjj4nMJck7uTt
                    MD5:E45526BE0FE0D0949AE7212231666A5D
                    SHA1:61A0FB4572E66FD10DB540D1953782E2D8329241
                    SHA-256:3F78B98905EE65C8C3FCB78B52D0C8B5979CA3F7297892F2DE586E2690FE2C6B
                    SHA-512:8C2221BF43068F2F64E905748D4465D91772007E05E267D6953F1E6EF5B2B528AED60EA9A98CE59A78D1A879604E36BD64787273CDF6473BF7B0926DD1F6CACD
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,...............8P....`.X..E...Y.`.PE...O.@......E.L..C....hHH.B..."HH......r&L.3!.......@......X.. ...9..p.FB.0.Nta5.E..QX-a...!@X...*....Z.P....Vk>.. .U...X=@........)S....<...C.,$.h..b...Q.(..H.#:.T.!....

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\button_left_normal.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 10 x 20
                    Category:dropped
                    Size (bytes):351
                    Entropy (8bit):6.128679095865032
                    Encrypted:false
                    SSDEEP:6:zI/5sLKKfaGAt2nAs40Co8zKOSrnvTIIx79f0QZO9:JLKKfaGTco8zKTbvT7MW0
                    MD5:E90B951F9EA7525CEB2B9F27EE14B5FA
                    SHA1:1B4BB154400010F27F07CA1055FDA243A5B9B5A0
                    SHA-256:A1B1F04E9BFCB0685EE78C1A09DAFA7FAC52E7DE4482B75D1C4947DA3C0FB121
                    SHA-512:4C16EF9DCE1350F82A03B4075AD9751ED6D3799A767314D28B13C1A3EC426D9323AEC830F0DD9C60499BDDDB421F728498B455CFF44B0409C37977DE4D9023E4
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................................................................................................................!.......,..........|@.`H,j..$...8.N&.D.PLUf..T.].t8|.....X.-..B../..<g.g&<.....L*...!'.L.-.....L#......L...."..L...).L....L. ....L......PPBEEA.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\button_middle_normal.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 2 x 20
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):5.627141827585112
                    Encrypted:false
                    SSDEEP:3:CuaaQDQ513Df4QfeSKevhPRmdStBC68Vltjzl7/lRl3hIzGw0iIghWn:yBQH3RfeSHhPROSzCtVXlphIzGB9kWn
                    MD5:27C6E2DDFF9D6B153EED6DA9FBD870C3
                    SHA1:60E06C2C162ECCDE659EF8232188E83B87469A8A
                    SHA-256:D5E7921EDC58B28769B27F95BB8DED6E968A740B8F50EA8D6454CF4FD747F131
                    SHA-512:83CBD4FF606FEE564ADAC8C6062F35399E714D6D76184F8E6C553A374C8B5228A64F941ECDD084ED5312DD31B51D923A17DF21FB589CB6A229A0DBC19B1BB2CF
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..........~~...........................................................................................!.......,...........`....T.a4..d. $.D=.f.DQ.....0.B.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\button_right_normal.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 10 x 20
                    Category:dropped
                    Size (bytes):350
                    Entropy (8bit):6.128603325715258
                    Encrypted:false
                    SSDEEP:6:zI/5sLKKfaGAt2nAs40Co8zKPO1IFOoP0v0JfYCR:JLKKfaGTco8zKPucD0v0JfYk
                    MD5:B39F5CD0DF3D50BC0DCD247F1D3E86C5
                    SHA1:6E82F83A0FEF817FF24A4DCB2735016781D56DCF
                    SHA-256:0C22AC6E2C3F3CC3ED34CCC326EF43AAEE88FBA0D4362B76FEF5EF045F3BEC5D
                    SHA-512:76674D736BCDF97CBAF30367105D1696FB01301965A849DA257F8AB32ADE74A770EA589B105CB7723AA5489949ACE01B3F16B5B6F88E168B52D13163CF9B8C3E
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......~~..............................................................................................................................................................................................!.......,..........{@.p8t.... h:..@.b.LI.h..lY..a....Q.c.fX...b..D9.....&......Q..'!..*Q.....-.Q......#Q.."...Q..)..Q....Q.... .Q....QOOKD..A.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\calendar.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 16 x 16
                    Category:dropped
                    Size (bytes):129
                    Entropy (8bit):5.892522876518795
                    Encrypted:false
                    SSDEEP:3:CsA1WzeXuYloJSdRNEZSVnuQlbb0rqRy0dG/n:NA1seXQJSREgn7lbb0rqU0E/
                    MD5:B05456B9CA0A7F9B281E5264445108F1
                    SHA1:DEDCB3A628CD20038E4533CB6A4FBB0392D76470
                    SHA-256:9BB256BD98391C56CF36D7CF6EA1FDC74EAC4D347AABA107B0FBC52B77C20845
                    SHA-512:2733AEED369C0F35637BC3113C3313AFCE90159A82E8595E6990944F36C49FBE538CD74F2C76E2AE4690E9D078921F47D0DF48A965FF935D0F9820BA6ED9624F
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..............'...[.....p.....!.......,..........Fx.....I."!`.7.U.)FQ.....j..Fm.B..Z.&..E......6..b...I]S....j!.0#..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\cfilter.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):686
                    Entropy (8bit):6.240464785210302
                    Encrypted:false
                    SSDEEP:12:FbdIOhideJZt9qpoK6sLELzH87AK46hi3634UpfSg84YvenCGtM:Fbd1rfqpiUEk7AKgK346agoeCB
                    MD5:73603A2151B0F9B05D82A4DFCBDA57DD
                    SHA1:23DDB1F1BCA603998D589736F61EE6D229CAF4E5
                    SHA-256:470869A425AE3F8537D76322451DC2697877CD4F41C6F76E1C4A0D0B64AD226B
                    SHA-512:48A9C3D597230B7AD6C822357693CDDA85D121F1D0418A4A87CB7EF93983C0EBA28FDD6CD4623A7462DD7E9AAFAE7EBAACE1474BDD85698BFAD13E7248965052
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....W..............................................................................................................2.........................,../.(.................W...................................................................I.....................~~..................................................................................................................................!.....W.,............WT.......Q.......SV.....S.=!.S....0S..S.TS.......UUV..V...S...$$.-/..G...@...2? *.L5%....K..H.#...&&......J.I.''C..(....#M3:.B..6.%.....vD.1@...9.0.u.......!2.b...... ....>...@AI..v...`..)<.X.........%H..PV..!t..P...Q.).'..p..D..'_.:.....]R.].6m.....Z.$.]CW...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\cfilter_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):688
                    Entropy (8bit):6.22316895655775
                    Encrypted:false
                    SSDEEP:12:T3JJLYZwxLbMizpWDLzk6sc79LXZfXJBuk6t6HayehV0E:TkQbPzpWo6sm9ZXJi6HayaN
                    MD5:D6AE79B6F67CFDE7665EFDC42A73A120
                    SHA1:71B7E7F836D7C61EB7A457F8967121A011C14E63
                    SHA-256:A17963B13DA9DB1A44C583A978008D87FF784EA7922A4B6CB72637FCBF4017B8
                    SHA-512:B8E04A11F5637EFBD1C509A8A41FE7881A1E544B007C5DD5BE8EA0B1050C7BA590C4BB8E5F45B114DB84D899BF69B43A06F2C93589845D9B9C1DEC563C4BD06C
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....X..................................................................................................2............................................W...............(............../..............I....,.........................................................~~...............................................................................................................................!.....X.,............XU.......R.......ST.....S.....U..VVWT...."". :A5..4..H.S....CL.).?/',I.K2E.9$.....>.......(B.=......6..(..18M.D....*..N*&7....#FH0.!.....B..$.....B.u......P .$... -R.....'.`......%].Z.%..Qv`.P.g...".XQ.G......:.H......0....R...p`j......"6,..`.L.....+p....7..Cx.a...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\dialogelements.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 18 x 36
                    Category:dropped
                    Size (bytes):171
                    Entropy (8bit):5.318270131123808
                    Encrypted:false
                    SSDEEP:3:CemclmYl1ylHrdns3GeLfjDsgYvK4PdKjDQbR8RLPZhaF3vqR+e06kE:RmOWer/sgYS9VPyQ0PE
                    MD5:A2B006199BE0B1D5DDA70ABFB7247A0B
                    SHA1:559F4BC9CB4234DC4A0341C3AA97B30447301018
                    SHA-256:45BDB4FDA35439F7AFD2360B3371828F4284FE5125DA32E1C05C5176D660587A
                    SHA-512:A60AF260E842110F933721CC8E388E19ED4A7111C4232F4F6DBABF4807771E9860C7D06A91F61CF07CC538C2CB40A0C0D9AF381723325050259F590217953264
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a..$....Th.X............................................!.......,......$...XP.I..x....C6.T(..&...J.d./.....W1..V..&.b.T...'T..Q..v{.z..xL.4..$O.[...W.^........;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\dialogtitle.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 1 x 18
                    Category:dropped
                    Size (bytes):818
                    Entropy (8bit):1.1501187038969296
                    Encrypted:false
                    SSDEEP:3:CHYz1o99ebl4G9Wijj0rlct2+vgv3Fd/+oltOn:2WofehWAjp27nWoltOn
                    MD5:CA309E903172BA90BC7663F48C7B2364
                    SHA1:225A36E0E6A69F3B333F9E400B248A49EC050480
                    SHA-256:804547F71B0F0BFB5A935C71E251EC9B98B678B167D6E12EF47966001BB4865A
                    SHA-512:BC03C6097543B441A1FCBE1CEB3322D9DAD800B1E57B267A6AB31F7F1856B71EDED2BCE6160F2774359B4A019F13C609E1E24D4E0FF0112AB0E343AA65383131
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......y......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,............#@x...... 8`..........;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\error.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 32
                    Category:dropped
                    Size (bytes):1482
                    Entropy (8bit):7.629324038013837
                    Encrypted:false
                    SSDEEP:24:3UJ2a1A3Dmp2zMbt2MIgt3i0F/Ynvt3ClbJNgXqSzx4W026DQfZleXlZMlh9epJA:3SH1ImxkmlFg1ClzAq9068fZsXlCl7eo
                    MD5:55A1D3722371140BA0606D71784B2C53
                    SHA1:FA9886B83B02E59C280E01B9B31FB8719B0F4D4B
                    SHA-256:FACCDEB0E1A2C3364E966FEF45D3346B7CDB2F75AAADF48FE3D4EC4983A201A4
                    SHA-512:0CC04B0E7E7F7811A97ACC49D88D543AFF60DAAD91E2C60D19652C8D46509E3299C3A3204F3C8FF7ECA4E99E78856B9AB75A1061C2676B7930D9191B2A641174
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a . ...........\\...............}}..........cc.22.||..................HH.KK...|...;;...TT.......ll.[Z.......~}.........TT.::............tt......MM.MM......kk........**...55.EE.......**.LL....77...JJ.tt....""........bb.&&.......NN......SS..$$..........<<............/0......qq......$$.++.\\..........ff.::....::......&&..........##.{{....ll....uu.PP.......mm..................22.........u......!!.......gg.zz.$$.......po.>>....??.,,....qq.33........!!......LK....,,..............&&.]].vv....ss.BB.MM.@@....................wx....//. .......FF.]].\\.mm.nn....::.......LL.RR....@@.CB.((...BB....33."#.)(............qq....RQ.55.......44..po.&&.dc.......22.$$..................PP.aa.cc.11.......SS.WW.................^]...........!.......,.... . ........H......*\..C.bP..a....A4<,(...].82.....R.m..%C%P.L.j.i.X\@,....<...j..6..lI .eC..LD.I.1?....d..=-W^HY....US..Kg...[..|.!)W.(..%,.J..:...h#F.?....0S.... ..<(`.%,&M.....},.;.. ........iL2w.

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\errormsg.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 12 x 12
                    Category:dropped
                    Size (bytes):560
                    Entropy (8bit):6.647986074316477
                    Encrypted:false
                    SSDEEP:12:HDlJN0mmYLP6R7kSksXQUz85dgyiKatJIB/821IKDMv6Ol657e:HD3NlmYL8kSk2Q+8ziK+IBTmv6fe
                    MD5:69F6947AA0FB3361DC31B0F1ABFE5930
                    SHA1:98EBD25DB02C0B81B42E86995D641716C3C77A4C
                    SHA-256:F53BEF9B8B9D4D9331F24FCE057052AD9D3558765235697F020CFCB0DFD42C60
                    SHA-512:BDD90A409B398C2DC15DB69A019698141D2F6DF3BD9C699BBE034B03760F5EE989E2976920768804F9335E3CE2B933C57C69DDA2C10474B9C6CDF9A6E8297A12
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....e....P.........cc."".uu.##.jj...............jj.......qr.rr.oo....lm.88....VV. !..........&&....zz....! .............++..........ss.dd.......jj...{{.......gg.aa.$$.nn.uu....55....mm.......98....."#....11.xx.//.((.....WW.``....66....!".&%.ff.........VU................dc....##."".QQ.%$....[[.XX....................................................................................!.....e.,............eeVA_O6.IW.eYJ.NHSa95%eTc.;C.$.@.['3 ..."Z..)-2U1.<.......KG.#.7..*.(.:&......>,.MbXL8.......R\F.E.d0.BP..Q.D..!....e.4.^.]`..=... `........;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\filter.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):698
                    Entropy (8bit):6.577596437477993
                    Encrypted:false
                    SSDEEP:12:qFRcbY4WpMkwAIkSyuMKW038dBJq0uxNieeAx8wDpsC/g1ME:sRcYxMktJBuMKWDdBJqz1eAxPgOE
                    MD5:2D66930D63C607A0325C06E8C0804198
                    SHA1:AFDBB5105CF1C789E770E029A9EBAA033D62EAE3
                    SHA-256:F030AA4C18BF698FE55AA5464B83202A1451C3036892675710B7F872E2723497
                    SHA-512:AFA4B1BE2779EE72C6D06B9EF0A905A59CABB073DF3ADA78314B257FDF5256EE327DC5930945C69977D66514B6A8F116D22AFD2D488466C406B2AB2211E0FD52
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....g.........................................................................................2..........................................................................'.......,..H..I.............V......../...............W.....................(.....y.............#...................................~~...............................................................................!.....g.,............ge.......b.......df.....d.0,.d.*..[d..d.ed.........5....d.....C9QX^HD=N.../...12%(+Z6;I.....E..>.'T$3:S..........-OFJ.@....V..&..q.q......<X. .....B."m....Rd..!W...>6hP.....>2H. ....^........`...+@..>.,.1B..)G|......0<@..C....h..f...Z...p.C./..|Q....A....C...tS)...R$A...:...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\filter_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):695
                    Entropy (8bit):6.492615794888212
                    Encrypted:false
                    SSDEEP:12:m9OsHGjHx13WD4KC4701WciaR0uyVEDebBua038xEIEHKyzp5RlsqlMsx2j:ualxirX9ZxEICzRWqlH2j
                    MD5:BD119BCC149CBAC6CDCBDD41E962EF36
                    SHA1:3D1044F53A185C92390574CCC02272C9AC3CA657
                    SHA-256:5CE540240EDAF78C8F220D0E8AD42F689E8BF2F16A88257417B02F4835F8486D
                    SHA-512:9A2B728AFB8A65EFD752AD10AE7C73E7D224F30A6E3BA6F3D541924D5BA7B1A8FB4ADC38EF0B26D24AD97553C535B6DF0B954F78219F1C01EB9A8D0F5E101FEA
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....g........................................................................................................2..................................................H....#.........................................(..I....y...../....................'..W.......................V.................,............~~...............................................................................!.....g.,............ge.......b.......cd.....c.....e....c...""I`D5\9F^;..?.....1]$'*OPEQ,<J.4=_.V#%:-/3G. Z .......THCUNY.X.....8....%L-K.S....).(R)...R..B...6. %......P...HM`.`....F..0.I..H-(P.C..!8.(...J......g..!.........4......,.&.a..)........V.&.(.J*@....=.`...c.V..$...x..$._Cg...;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\forward.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):452
                    Entropy (8bit):6.905192211941243
                    Encrypted:false
                    SSDEEP:12:LtkNjOz4sNT9ULVxS0TT0XO989X2wa3guB6gVU:LtkFtsNRUBBrwwnpVU
                    MD5:02CDD31E3461BAC8E5F765D2787A9D32
                    SHA1:373F636EE4A0EC370966C60EFE8BAF533C33512F
                    SHA-256:7763BB3FAF91D79EF2E2E60C1F1E508EBEDD80D1ACF4675A9D4DA8B18ADC130E
                    SHA-512:6B56D81F3A47B6F1EC00F6ABD304D97971B8CE68D188211C3C9AFF7D98B40B19FE70AB07C5CA4E3B805A7945A6E7D2D5EC7DAF82E9C16C1A4E6B1B904B5CA8BC
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....:.~~........................................EDh...................................................................................................................................................!.....:.,...........@.`H,..B.`.l:..a@@.Z..Tv..(,/...~.Z@..jL&.7|rs.C........{.|y.........y..........++y...$...$(.))(y.".......0...y........%.%5..y.............y#...........y.........49..y.....1.6.y.....-....".....$\..B.....H...i@`.h%..# .....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\forward_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):677
                    Entropy (8bit):5.847359879482572
                    Encrypted:false
                    SSDEEP:12:mN5xggGT8jwQLoEObTVTJOPnnf4LPNCWuNfxKbHmKN/n:mNnCTgwQLWxOnnfIPkfan
                    MD5:297F8C17396FDCE7CDE983BE0E6F7E6A
                    SHA1:3C589FE2277EB3A9AF343D9B339C162224FC1902
                    SHA-256:C5191027E7E5F1E303AA1BD032FA27B955314D9FD3D5891C0EAF22E96E399AD1
                    SHA-512:91EF16C6BFC640EC13E73277786A7B03502F7CE8DAACE84D0B8D72E26910CCBD1C903758F723B7009E1D55630DF89FEB0C45493B244AB74DE3CDDFC69FB8615C
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....B.~~..................................EDh.........................................................................................................................................................................................................................................................................................................................................................!.....B.,............B......................................../...+..+../.)).........>..4"9.."A.:.".$$.....3.....@....7...8...?.....%01.(...%..%(0.... ..A..!(.H.D..'8t.......2>.@....#@6`.qA..%...`.....z.lI.....LX`.!...<-.a..)...8.T.R.*.PHJ......`..@.U..d....h..$.[CB....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\info.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 32
                    Category:dropped
                    Size (bytes):1501
                    Entropy (8bit):7.746239677620112
                    Encrypted:false
                    SSDEEP:24:3ilLenVbohedQogicc04qq8cSqjXuKzljMlwMlIjvYWVSc63UsP28x1v6Id3Eme:3KynVb1fgU01ql7u4ylw3jvYW8c6Je8s
                    MD5:DB72B182CD0CEEF3F39115AF91148DD5
                    SHA1:2C5BB4B3372E3BC17BA3EAF51B0742B617099E99
                    SHA-256:5EDBEAE5A37201282FF0E6CE6139A6EEB1B4212FAEBD097AE65BF1394086DFD9
                    SHA-512:3CAD5E09B97FBC243F3FB89BF03AA47F08794831C7D3D2CFCAD4323DFA7135E4F03E2EFBC6AEEAA1BC24598E7FA134C638FC941F86C62E8D41A4A3B3C094029C
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a . ..................z.....d..'M.,X.......3Kt......6a.Z~.`..b..Kk.......9Z........1\......*Q.8m:c.....................k..Nu....<f...............Uy......Ai..Z.............;e....Ms.............R|.......................>h.......Dj....9c.X..Jq......&I.Jv...............3^.4_.........[.......................0[.\..j.......&@q...Bj..........k.......t....r..7b..........V........+Cqr..~...............g....8O|......"D.......Tw.......4_................6`..........h.......V}.........;_.r.......Ny....+U.......>a................Cm....[~...........Df..R.................."8`.........9d..........Qv.................6N|/[.Ig.\x.3^....Dp.T{.Jp.?j.Ou..........R}.............................$Ax.........Ej.Do....Dp....................!.......,.... . ........H......*\..C.H.q.. ..N.@<,...6{`.%J4..>.9.l<.....#..o..s.<.!.!..U...T....?D.K.'.5V*D,<..O1z.t0s..M..vZ...$Z..C.6.R..1@,.q....+..T.1./I9.....#.....p1. ...........*B t..../.P@..B.d...!..@..l

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\infomsg.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 12 x 12
                    Category:dropped
                    Size (bytes):551
                    Entropy (8bit):5.392731445699808
                    Encrypted:false
                    SSDEEP:6:HMB9PKIyuXNuZMai/ip4LQvFs7zd0DpT40ZmXlAa4Pa5itborikGp7NzjiG7n:HAkciik4vlqE0ClAtPLIU7BjiG7n
                    MD5:CB3DB36AE9D20676F30C7FC24CF67B43
                    SHA1:2BC08F9AE8C9ED114F54A379D82E0A1FF4B205F6
                    SHA-256:8DBF9C3803D17850CF16D6B702CE7D7D88EEDF77BBD0057C6143DBA18FA533FD
                    SHA-512:4F5478263C89EE22B346DAD2C233961E7972BAC1ABDAFDF1EB9DC7789868AD181DDE976FE34AD55EA904284B2CA18892D45FB4D3A79C344DC273B2E7FD1A36B9
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....D..R....`....V|....=h.[..?h..........................h...........n.......h..^.......`..i.....z..z.................................`..................................................................................................................................................................................................................................................!.....D.,............DD,........D-. 3B#"...D;.'1C$.:.....!...........&.8*..=@.6../.....<.........)4..52A9.......7.........%..?..+.D...(>0................;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\minus.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 19 x 20
                    Category:dropped
                    Size (bytes):100
                    Entropy (8bit):4.874192988036409
                    Encrypted:false
                    SSDEEP:3:Cjd0KSt/F2xll/utfvVbN6SkuunEn:Sdd2Ilafv5N61E
                    MD5:E8EFBBA1371E744733EADBE66A0F4A76
                    SHA1:78E51790C85544BEAB1FE4EF7B9A55911A175F23
                    SHA-256:2E39F00E5BB9A4ABD8B09D7D26478E1940261E8D19A1E3A4ABC052A6A41594DF
                    SHA-512:35E88D3A3ECF026ADFAF5EA5B6FB47FED11BD488706D56A314867E841C22CB6CCAF8749A0B2D48254885D2871F694AE6C6055D9B62674C5B4DED97CE7AC0CB05
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a...............................!.......,..........)H...0.Ik.8..........R7..Y..e...C.f.|..@B..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\next.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):452
                    Entropy (8bit):6.9209246645425075
                    Encrypted:false
                    SSDEEP:12:GXoAg5jtzN/zZUteoC/kDL0MvOyi66gpNcCp3dCbqAx1A:mEjNN/zZyLmyiLgpOy21A
                    MD5:81DC15239A831144AF4DB764CB547A97
                    SHA1:AF4E12A288FB1736746A83F657793D109AE79D7E
                    SHA-256:7A9791CF4A6897DFE5D85E3A70298EE124A5B350AB37027629B7830CC222B9EE
                    SHA-512:36A6E420F337C6F4019FAB99B7FD4DA445FD0A6A19D29845C97AE2521C8C36C213B07138D2648690DDB408558E18A150AC5CBE452A706A5C5CCCDD50C63EE3AC
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....=............................................................................................................................................................................RRo...~~.............!.....=.,.............nH,....m.l:....G.Z.T..t1.../...~u.n@....7..r.)i.0...3"{.|y.44.49....y.....99......y1...91/.....y......9..*...y......9...#..y............y......,.....y......%..0+..y5..9-...&.y6....'ldH.!....d$\(.......H...i.`.h%..# .....;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\next_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):463
                    Entropy (8bit):6.928280884358569
                    Encrypted:false
                    SSDEEP:12:PPpWv9dTa7Qk9dxdxaGEulS3oRgwBpeJHCWu9:PhYTa7Pv4vYRgUeJiW4
                    MD5:EF8DAB80E3C0C60A71F30479E1154F1B
                    SHA1:393BA2F06AEC04ABB865799235BD3F066031C196
                    SHA-256:9B5E6CE8791749D4AEB8710332BD23B5CC1B4BAE8B8BAF25F0A53D107519A26C
                    SHA-512:87183EF18E846E0EE835D87B6F5E7B925A8A59C1CF9FC80B43A57EA4D9F0A50FF2AD98F56C44F3B94EE4632F21296FD27A17D8DE31874587847FD086D5068A49
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....?...............................................................................................................................................................................RRo......~~.......!.....?.,............_oH,...Ln.l:...G.Z....j{.n..k4".L.c..0.V$R"w:.E".S....-zd/.3...::4... .d....#..:..8..d..1...:.....d)."0)$.:.**.$"d..........d....'.......'d.....5......d.....:.....2d....(...!...7.B........M.$h....d...0`...VH..c../.|..I...(B..4.#..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\plus.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 19 x 20
                    Category:dropped
                    Size (bytes):109
                    Entropy (8bit):4.977791090909211
                    Encrypted:false
                    SSDEEP:3:Cjd0KSt/F2xll/1LhCZ9xoc4NWxmhOta:Sdd2Il9di4LhOA
                    MD5:73C03EDD4293DA9A3AF776B3E61FCAE5
                    SHA1:A0A303EC35A0736742C9884EAEA3C294EDC3BCCE
                    SHA-256:AEE3AD398EE924D637C683650AD19F89B77BDA6ED24C2542359A14C3EE169071
                    SHA-512:FD313E395DBD821FF05E40C3767E333F49B5855B333A94C66E5520FD3081B8A06D0698933555EC6754D860A2C978A84760E0269D6A06F5A78CDE6E88116BC56C
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a...............................!.......,..........2H...0.I+.8g...@ ....\...9./.F.gz.z3T...Fc).......;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\prev.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):447
                    Entropy (8bit):6.8394587634545765
                    Encrypted:false
                    SSDEEP:12:94Yivpz8bEBDL0O/aDTOH3wcy0bTEzvPno:94YAFhJL008D/o
                    MD5:AE44B0C9834C70CDFA369BA20320A2B1
                    SHA1:DF307129A30843C4A70664DF49F9FB443B98DF18
                    SHA-256:003FA75BB6056EAA50C521246D5D2779BAB3CF5041E83247C1E8D158B3BE43F8
                    SHA-512:38C34F007DAEA3D27D899F2E25980F5C045E320C250D08E04D99EA8849AE72BA5954CD8E71B438494DBE11C01F7D3C52A3C3B34E4840A914102728D5E525F122
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....:...................................................................................................................................................................RRo...~~......................!.....:.,...........@.nH,....m.l:...-G.Z..tT).../.u.~oZ.M@....7..r.).......0){.|y.11...6...y.......66....y......6.....y......6.,...y......6..."..y............y..........y--....-.'+..y3...6$.%.y2....*2.&...p.E../....0O...#J|.&...V..9... .;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\prev_over.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 21 x 20
                    Category:dropped
                    Size (bytes):467
                    Entropy (8bit):6.952099131437181
                    Encrypted:false
                    SSDEEP:12:KUUzVO0s4GXQyA2HFkxaGEu81SZJGRmrsLNQq6BkIP9UQRp2T:szVOD4yLkZJG44CPkIZRpa
                    MD5:53A1F5687835EEBD48B40216DD87FA04
                    SHA1:98E2163A9817AA3B6B2B4DBB63C4C3BEF9F5DA36
                    SHA-256:6F9A8D514CBA4AEE568CB44E0770C8235360A3E980CD0430FDBFD71CF736B222
                    SHA-512:2FAB1AB7F2DBCFB9FADE64654403950C9A932C24A226C23B13418B53CBB477DFBE40930599199C03CF9634293A73D047206022E938FC1C0B2BC0FD023CA2814A
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....?...............................................................................................................................................................................RRo......~~.......!.....?.,............_oH,..BJn.l:...G.Z....j{.n..S($.K.b..,..DR"{<..a.....0zd2.6...$.7::.. .d....,..$.:.5..d..8....:.1...d(.*/(".:.))."*d..........d&..&.........d........:.....d........:...d....!...+....h.......`H....... $.....;.Z.0....#f|...(KF.r....A..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\resize.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 14 x 14
                    Category:dropped
                    Size (bytes):857
                    Entropy (8bit):0.9658137983431105
                    Encrypted:false
                    SSDEEP:3:CDGGs8t/dylaJ9lYrFkainCw0MiVAHnlGcsn:X81rJ4Rkafw0M6gEnn
                    MD5:F9F710D772E761889A1E91BCDD45B616
                    SHA1:B2508E44B6F6CC23C01D4D069DBD0F407CD26CC0
                    SHA-256:BA13E267E98A7DCAC50EDD7D3C9D98DFF673A3F2AC1818A3B003F4C5F6185F5A
                    SHA-512:99920B8DEF74E74FFDAD228F4601508180E02D9B7F9FF1130B61CE461490AF95DBFB7448793AA4572763429D59D61D9D7CEFDBCA3E40D41B24307A38AADD54D6
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......cc..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,..........6....H.........P.......0.!...#Zd8.".. .jT.$E..1..(Rc@..;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\transp.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 1 x 1
                    Category:dropped
                    Size (bytes):85
                    Entropy (8bit):2.9134685535238303
                    Encrypted:false
                    SSDEEP:3:CUMlXnewgeE/xlRxe:7wnEy
                    MD5:B9F25E8B7EE6324580709F9AF707DCEC
                    SHA1:6447291E5E6775D3217489B1E8B5CD28E4C0B309
                    SHA-256:043D81F62C8A40FB00C07F9A2B410C298AC771C96C659CB54773A81B43CBC83D
                    SHA-512:EFD8D8D04DACE3A4C317C0CCD2E051C257E1364CACBC89C3B49649FE8DBAED516CFA3A0D7B439B2FD52C42408F1E9E3556EC7EA9AB371AE901D1C9AF3E884443
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.......................................................!.......,............D.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\warning.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 32 x 32
                    Category:dropped
                    Size (bytes):1538
                    Entropy (8bit):7.809254067189677
                    Encrypted:false
                    SSDEEP:48:31ViBYWSk8eIEmr81T60lgo1yk9UnxqY++LA46R9p:37gr8eID81T60V4nh6p
                    MD5:0BE1818D045B79A57AA7EFF9BA5E7753
                    SHA1:3061D050948FBDC4CBCEC06240910EF5F52BDE6E
                    SHA-256:7A56FF638B4197BE0606B0881923AF1EAB611E70F15F6B70F7E51708C07F9671
                    SHA-512:C7FDFF6FC056A3E3D775994EFF0467B44BD825E659BEFE2E79FF171F477B11240B7409A0F8CF4235B44D45B910FF54D2BF4706BC4C29D0C209B2D8096678CE15
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a . ....JJJ.........{GOM...].2..R....YQO0..j...........E..<...4..=..I.............t.............K..R..n..;..3..B..J..........s.."..YfdG....._.....Y..D..........ZW...:.........zu,.....2..........."...vq...T..(.......!..]..9.....%RO-..m........M.....3...{v.........%vq*..S..$....`.....L.......>..>....}3..+.................................7...PO<.....?~y.........L..,...........ni'..t....~www..y.........{I..A..}..0..;.I..PN6..n......................N...gc%.....J..I.............|P........./......k......vr<........b..........`.........`\+...........)........._..C......UUUwr"..Nxs!....:.........g...../....'..(......ql#.........}........1..w..kkk..................sr].}Z........_^O.. ...UTD.....L...G..e~x,.....!..R..Y..P...`..#..#...!.......,.... . ........H......*\...9K(.. ..B@2$}KE...L,"..MR.[..R...H.~.-.aaG.,..|<. ...h.I....6....S. ..j...hD.6<H.j.!...PP..A..$.........<....0.X+tx.A..{pvy.. ..6..a...*....LW....J.e.!F.}9.p.FX.....3N....N9

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\images\warningmsg.gif

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:GIF image data, version 89a, 12 x 12
                    Category:dropped
                    Size (bytes):314
                    Entropy (8bit):5.640616119727179
                    Encrypted:false
                    SSDEEP:6:H8/idv0+FvAJ97YgHpuExvvRSDm2GzReF1t/HZIhbA3se:H4Uv0SQ97YXm3RUk4TlHZcbEse
                    MD5:3DFA3E6C879653373920412CB76F18C0
                    SHA1:E71C05EA028282F9DC5467951E822CF734185782
                    SHA-256:5C9FB53329829B8B0FF86533DA91C4DE6010059D32CFEF9C8043C053255D6440
                    SHA-512:53CA26FE06B3BB8162221BDF504A555AE1B70D7BD385F94274C0AF47739B58811D201EB755D45131E387DFC46DFBB6311D04517ECD5BCD75B6100EA9A6C023B2
                    Malicious:false
                    Reputation:low
                    Preview:GIF89a.....,....GB......<.........GB................MJ...RMG....GB...ALF.............HC.MH.............LF.MJ#MK-......KE.......GB....MH......@MH.............................................................!.....,.,..........W@.pH,....q.2...C.x@...`...?......%..0.>.*.V..\G..$...LP...).[.'.........$...,......PA.;

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\initDhtmlLib.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):223
                    Entropy (8bit):4.618600509354323
                    Encrypted:false
                    SSDEEP:6:CDcqKzfUK44EizfUuax4EizfUSRx4EU4HKSRUKVXKFuwSwbzlzoA:jqKP47ikx4EimEU4H/9i
                    MD5:3489DE7BC38D008FB3E3190597B1F24B
                    SHA1:9A74167A26D167D44ABD60238B1D9C8DC1687F27
                    SHA-256:CF6EF22722C1B05EAD663E8AFD3467BA67C9EDBE63B80DB02B3FB1ADA8421435
                    SHA-512:1F1E8D8005778C5C4BA0BE563E39BED88DBD4E99E9710451A0B426D70B62A6BD81EC407534013ADB874686B7A52A0DA5ADBEB319589B9BC66E144184A86D2EBF
                    Malicious:false
                    Reputation:low
                    Preview:if(typeof(promptengine_skin) != 'undefined' && typeof(promptengine_style) != 'undefined' && typeof(promptengine_lang) != 'undefined') {...initDom(promptengine_skin, promptengine_style, promptengine_lang);...styleSheet();..}

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_calendar2.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5588
                    Entropy (8bit):4.8631410686861285
                    Encrypted:false
                    SSDEEP:96:jeMDTsfCwLRpoRAjD11nX20imfNTfT/i3H9pa9f4dF:jlwNLfoRAfTnX20imfNT2HyydF
                    MD5:3BC2CC3DC1D31370F1CDA658D8EFAB4E
                    SHA1:D5B0496D4DB7C606F65CEA8650E119197A4D3DD3
                    SHA-256:9155B202FE78C467B3B180BDF4195E6CDAD756D4A2DB7CADC8B7FB94F6370400
                    SHA-512:4AABC27D7B487B653EDC4B196104755BAD16041D2B66409CE63677BAB5AA32D5CED33A593C1EC8D29BB4A6B5DE2B9796884BA012E8B7BD8843BD3F13E53292EA
                    Malicious:false
                    Reputation:low
                    Preview:if(typeof(bobj) == "undefined") bobj = {};..if(typeof(bobj.prompt) == "undefined") bobj.prompt = {};....bobj.prompt.Calendar = function(formName,dateFormat,locale,promptJsFilePrefix) {.. this.locale = locale;.. this.crystalreportviewerPath = promptJsFilePrefix + '/../';... .. this.loadFiles();.. .. this.formName = formName;.. this.dateFormat = dateFormat;.. this.dateTimeFormat = dateFormat + " " + "H:mm:ss";.. this.isDateTime = false; ..}....bobj.prompt.Calendar.prototype = {.... /*.. * shows calendar for the specified input.. * @param e [event] .. * @param inputName [DOM element] The node that will receive the calendar value.. */.. show : function(e,inputName) {.. this.calendar = bobj.crv.Calendar.getInstance();.. this.input = document.getElementById (inputName);.. .. var srcElem = e.target ? e.target : e.srcElement;.. var pos = this._getPosition(srcElem);.. .. this._setVal

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_prompts.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):32638
                    Entropy (8bit):4.771858819413964
                    Encrypted:false
                    SSDEEP:384:Rf+RDnPIEuD+F1om1SfZl1SpL3+cEdAU4ke5DBZGg1TlrYplzUkZb1rS9/BJPHjG:Rf+UYAAUaZGg1TOrSp84Fu
                    MD5:23B2C2F1ED875427326F8EC85B2B0284
                    SHA1:DA3E98304ADA61A5EEE66358A870E5ACE0C05618
                    SHA-256:5474CC6B5C1270458F71A5D2C445791968FA55A8B9B2E51315A43D9BDAA1401A
                    SHA-512:90691F34243400F4C06DA0DC206D083915E2E310FE329D7A9E9AEBB69B46C6FC36F42935A4A0223D40B45228F2FA0A4F65D7C36B0BBF95900BEA536B3F45FE44
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....//////////////////////////////..// FOR DEBUGGING ONLY..var debug = false;..function dumpFormFields(formName)..{.. theForm = document.forms[formName];.. for ( idx = 0; idx < theForm.elements.length; ++idx ).. alert ( theForm.elements[idx].name + " - " + theForm.elements[idx].value );..}....//////////////////////////////..// GLOBAL VAR..var isJava = false; // do encodeURIComponent for Java only....var isNetscape = navigator.appName.indexOf("Netscape") != -1;....var LEFT_ARROW_KEY = 37;..var RIGHT_ARROW_KEY = 39;..var ENTER_KEY = 13;....var DateTimeFormatSetting = {.."datePattern":"Y-M-D",.."isTwoDigitMonth":true,.."isTwoDigitDay":true,.."dateRegex":null,.."dateTimeRegex":null..};....///////////////////////////////..// functions for DateTimeFormatSetting....function promptengine_getDatePattern()..{.. return DateTimeFormatSetting.datePattern;..}....function promptengine_setDatePattern(pattern)..{.. DateT

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_prompts2.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (608), with CRLF line terminators
                    Category:dropped
                    Size (bytes):81668
                    Entropy (8bit):5.200124112127736
                    Encrypted:false
                    SSDEEP:1536:n9VZJWUgaRH3grsL0ci/0o7N5suAwZ9AFT:jgaRH3grKpizN5suAwZ9AFT
                    MD5:51DD7BBB1BC9DEDF3E414CB097A9B236
                    SHA1:63378A84E6906FA55903B00F600A61B24821E909
                    SHA-256:C1FCA0ED7DB715DEC0A5152FC308329417733DCB65A32319FF769F9ECB529BE8
                    SHA-512:601973BF16A4D279EED7D6524EDDDD3AC0728E143A28F649BC0484A93084DE04AFFFCDD0F78C6C57FE1EC8EA255A02F4BBD6C6C8833E616C93384D133D7246E9
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */..var PE_VALUE_DESC_SEPARATOR = ' - ';....if(typeof(_pe) == 'undefined') {...._pe = new function()..{..var o=this..o._ie=(document.all!=null)?true:false..o._dom=(document.getElementById!=null)?true:false..o._isQuirksMode = (document.compatMode != 'CSS1Compat');..o._moz=o._dom&&!o._ie..o._appVer=navigator.appVersion.toLowerCase();..o._mac=(o._appVer.indexOf('macintosh')>=0)||(o._appVer.indexOf('macos')>=0);..o._userAgent=navigator.userAgent?navigator.userAgent.toLowerCase():null..o._saf=o._moz&&(o._userAgent.indexOf("safari")>=0)..o._ie6=o._ie&&(o._appVer.indexOf("msie 6")>=0)....o._root = ''..o._images= o._root + '/images/'....// prompt section..o._prompts=new Array..o._lovBS=1000....o._st='s'..o._nm='n'..o._cy='c'..o._bo='b'..o._da='d'..o._tm='t'..o._dt='dt'...._BlockWaitWidgetID = "PEBlockWidgetID"....// dialog secion..o._theLYR=null..o._dlgResize=null..o._widgets=new Array..o.DlgBox_modals=new Array;..o.DlgBox_instances=

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_cs.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (339), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3286
                    Entropy (8bit):5.028564212299118
                    Encrypted:false
                    SSDEEP:96:59ea8DXIinZEArS5qz0qzjlFxrL4EoY/rCZrcCKm+eKmsFhHFaUjAcFs5l2bXFWv:5gQ0Fnr6rCm8msDHjtWd9
                    MD5:BFF0D8D593803810EFFE761A037BACEF
                    SHA1:94C406DEBFA5020C4C1735A4F3BB160C3EAE8DB7
                    SHA-256:6183B0D0AFC19DD60F9040DC48D736B13EF152D9E3EF35EF00D7723442F9D439
                    SHA-512:B07EBB72C485A588D6385F6D5587D61209CD8C9CE085539340E7BC32B1F1ACCF539C005EFE24A103FF548D395013712E290791940C694A00B0930DD00C1416C3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Dnes";..var L_January = "Leden";..var L_February = "\u00DAnor";..var L_March = "B\u0159ezen";..var L_April = "Duben";..var L_May = "Kv\u011Bten";..var L_June = "\u010Cerven";..var L_July = "\u010Cervenec";..var L_August = "Srpen";..var L_September = "Z\u00E1\u0159\u00ED";..var L_October = "\u0158\u00EDjen";..var L_November = "Listopad";..var L_December = "Prosinec";..var L_Su = "Ne";..var L_Mo = "Po";..var L_Tu = "\u00DAt";..var L_We = "St";..var L_Th = "\u010Ct";..var L_Fr = "P\u00E1";..var L_Sa = "So";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "rrrr";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Tento parametr je typu \"\u010C\u00EDslo\" a m\u016F\u017Ee obsahovat pouze symbol

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (316), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2975
                    Entropy (8bit):4.932163813265018
                    Encrypted:false
                    SSDEEP:48:59elPDD8U5PlnMEW9AqvfAtAk223x5UNc9a/A4f6PfY/+1r5f6Kb1er3f13pv1eJ:59elLD8U5PlnMEW9AqvfAtAk223x5UNA
                    MD5:47A9212533F5E53F3A60D30F2DE82AC0
                    SHA1:7328244540B37EAB2FAFA613C44A7D72B52457FB
                    SHA-256:F05083FE206E05D3EED2C8AA4C265AE54E8691ADD097E7EC421C16C116B3BD6C
                    SHA-512:E0B39EA55648A15196C577F5CDFC5983445856F4F646F8EEC1BB85C07C88320D2FE6F489D1CC7CFB4966DDE5923C529215EF8F54EDAF1A6F8ADF4ED0ED42E808
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "I dag";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "Marts";..var L_April = "April";..var L_May = "Maj";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "December";..var L_Su = "S\u00F8";..var L_Mo = "Ma";..var L_Tu = "Ti";..var L_We = "On";..var L_Th = "To";..var L_Fr = "Fr";..var L_Sa = "L\u00F8";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E5\u00E5\u00E5\u00E5";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Denne parameter er af typen \"Tal\" og m\u00E5 kun indeholde symbolet for negative tal, cifrene (\"0-9\"), cifferg

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (334), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3027
                    Entropy (8bit):4.912493286210965
                    Encrypted:false
                    SSDEEP:48:59eEePDDYU5anMEW9AqvfAfeAmEGSxLlUSA9a/A5XDGtjns4DGtjg6wmtSyflyYI:59enLDYU5anMEW9AqvfA2AmEGSxLlUSf
                    MD5:96658C0C6B439D0B4F9A239BDFBA03E6
                    SHA1:B833F44AA46C0A4FC99B0BF24CC98346E74639A9
                    SHA-256:89D83D5E4EEC90516775915B0E53D09353DBAADEDD1FD2DA6F27BC1114D4C38D
                    SHA-512:10584CCED38075BA43A3D4DE7D69A5AF7E88683038A32F99C276B1392BEEEE865FD44B08CF6EF05EACD239A39ACC3D44D82FD8BEF6360A1CE5FC4D82B47CF4E8
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Heute";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "M\u00E4rz";..var L_April = "April";..var L_May = "Mai";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "Dezember";..var L_Su = "So";..var L_Mo = "Mo";..var L_Tu = "Di";..var L_We = "Mi";..var L_Th = "Do";..var L_Fr = "Fr";..var L_Sa = "Sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Dies ist ein Parameter vom Typ \"Number\", der nur ein vorangestelltes Minuszeichen, Ziffern (\"0-9\"), Zeichen zur Zifferngruppierung oder

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_fi.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):3129
                    Entropy (8bit):4.942592494622112
                    Encrypted:false
                    SSDEEP:96:59eKf9J1wuAHfMnmpOCqPF/Q22cx5ZbkIaKwfJzHcWJzj190Gsq6GjpCgElBMKOv:5gKf1rTwxIWPh42CBLIWSWfi
                    MD5:DA2C966D0664901FB7C6F3ECDC009446
                    SHA1:4BD62EBB3E5E0005837B862B2A011A1265369948
                    SHA-256:352A9713ABFD1BCCC9F1FDC97A115EEC89A4E3D50694F5A799B0F3D669480126
                    SHA-512:E3C01E36FFE521D73E48631386583BC38E8FDDA54A583C6132924E4E19474870AEBB7514DBAB11061EE7E3A7CF71BEBD7FEF4DB0FBFE380DDEFA01FDC779999D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "T\u00E4n\u00E4\u00E4n";..var L_January = "Tammikuu";..var L_February = "Helmikuu";..var L_March = "Maaliskuu";..var L_April = "Huhtikuu";..var L_May = "Toukokuu";..var L_June = "Kes\u00E4kuu";..var L_July = "Hein\u00E4kuu";..var L_August = "Elokuu";..var L_September = "Syyskuu";..var L_October = "Lokakuu";..var L_November = "Marraskuu";..var L_December = "Joulukuu";..var L_Su = "Su";..var L_Mo = "Ma";..var L_Tu = "Ti";..var L_We = "Ke";..var L_Th = "To";..var L_Fr = "Pe";..var L_Sa = "La";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "vvvv";..var L_MM = "kk";..var L_DD = "pv";..var L_BadNumber = "T\u00E4m\u00E4n parametrin on tyyppi on \"Number\", ja se voi sis\u00E4lt\u00E4\u00E4 ainoastaan

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_fr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (335), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3146
                    Entropy (8bit):4.903846359244872
                    Encrypted:false
                    SSDEEP:96:59el3pWu5anuhckqtGA1B1mxx/ywoEbDs4OWDs4ORXX9DBVdmwBVdkfYbeaJcRsR:5gN0A04c4mDBVcwBVQaSRCWsp
                    MD5:0E901C2B87E11BD77C3B26CA874973A6
                    SHA1:DC9C7A0D3CE866E77B35489E7B39A06112961762
                    SHA-256:6EE30B491C97DAFACFB7F3C95FA4DD2E93AFF70FA5095C6D09DE20138984A63C
                    SHA-512:2EB7700AAA6CAF3227ADC4CA172036E1094263738F0FCD70ADCBD7A66EB46BE53B89901F3CD1FF0DAC592205DEB82C56539AE293230D57C5802441641C6C8AD3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Aujourd\'hui";..var L_January = "Janvier";..var L_February = "F\u00E9vrier";..var L_March = "Mars";..var L_April = "Avril";..var L_May = "Mai";..var L_June = "Juin";..var L_July = "Juillet";..var L_August = "Ao\u00FBt";..var L_September = "Septembre";..var L_October = "Octobre";..var L_November = "Novembre";..var L_December = "D\u00E9cembre";..var L_Su = "di";..var L_Mo = "lu";..var L_Tu = "ma";..var L_We = "me";..var L_Th = "je";..var L_Fr = "ve";..var L_Sa = "sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "aaaa";..var L_MM = "mm";..var L_DD = "jj";..var L_BadNumber = "Un param\u00E8tre de type \"Nombre\" peut uniquement contenir un signe n\u00E9gatif, des chiffres (\"0-9\"), des symboles

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_it.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (325), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2940
                    Entropy (8bit):4.849829735409454
                    Encrypted:false
                    SSDEEP:48:59eGjaKNvnj166bXC9qq989K9llhVGxCfSw9aaxB7dBrId2Jpqum78GWrId2Jphf:59eGjaKNvnp66bXwqYG4llhVGxCfSwoa
                    MD5:04ED54DBC6EDCEC5806E88148D9F1DE9
                    SHA1:2A0D10331D4EBBB39ED92E101AF5F3ADB4C3E128
                    SHA-256:92277CFEFE5732E0D63597E6C7D8AAF6FC4757AB014CF00818B15D2018ADF46D
                    SHA-512:EE9A5BF18E3034449132A0A4123105B9679B96EEAE7B1A0BC2CE22325CAA81577B8024F1972A5FCEE3CD6A1E28CB505D0D21C47EB9C78E215F5223CEAD359693
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Oggi";..var L_January = "Gennaio";..var L_February = "Febbraio";..var L_March = "Marzo";..var L_April = "Aprile";..var L_May = "Maggio";..var L_June = "Giugno";..var L_July = "Luglio";..var L_August = "Agosto";..var L_September = "Settembre";..var L_October = "Ottobre";..var L_November = "Novembre";..var L_December = "Dicembre";..var L_Su = "Do";..var L_Mo = "Lu";..var L_Tu = "Ma";..var L_We = "Me";..var L_Th = "Gi";..var L_Fr = "Ve";..var L_Sa = "Sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "aaaa";..var L_MM = "mm";..var L_DD = "gg";..var L_BadNumber = "Questo parametro \u00E8 di tipo \"Numero\" e pu\u00F2 contenere solo un simbolo negativo, cifre (\"0-9\"), simboli di raggruppamento ci

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_pt.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (357), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3055
                    Entropy (8bit):4.889735900952581
                    Encrypted:false
                    SSDEEP:48:59eQP2HVq5rVnQI6bgqvAVMfsTxxQ0w9a/AygnfAZgnfAoVKYiVRL+O2CLMa5NM1:59eQuHVq55nQI6bgqvAVMfsTxxQ0woYv
                    MD5:72490117EE1A34F2BF323030A6BFCBB3
                    SHA1:0AEE826B95305E539A95C18C8A30600AADA109A1
                    SHA-256:F4ECF62D6252ADF5FDAEB2CD5507A2720594DE3A0E4C823435FC64C2CFB3DB42
                    SHA-512:68BE63AA1E5C435DB5BEDEB55CB6860520938D04B7558307A7542E18F848B17958750E10786C6ECE64182C01C8FF15F874E29977F94F572269F267C5E42C0D73
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Hoje";..var L_January = "Janeiro";..var L_February = "Fevereiro";..var L_March = "Mar\u00E7o";..var L_April = "Abril";..var L_May = "Maio";..var L_June = "Junho";..var L_July = "Julho";..var L_August = "Agosto";..var L_September = "Setembro";..var L_October = "Outubro";..var L_November = "Novembro";..var L_December = "Dezembro";..var L_Su = "Dom";..var L_Mo = "Seg";..var L_Tu = "Ter";..var L_We = "Qua";..var L_Th = "Qui";..var L_Fr = "Sex";..var L_Sa = "S\u00E1b";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "aaaa";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Esse par\u00E2metro \u00E9 do tipo \"N\u00FAmero\" e pode conter apenas um sinal negativo, d\u00EDgitos (\"0-9\"), s\u00EDm

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_tr.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (408), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3413
                    Entropy (8bit):5.020312872852195
                    Encrypted:false
                    SSDEEP:96:59eMYGNDFnvZ4nnq3OsZsTsxrMvAQalrI8GorI8GIbqXH79hwH7AvjAYOwXu7Tc2:5gK5zxsAshX7A7onakfWqC
                    MD5:4731DB7CD45BC31D927CC2E2DAFBCA85
                    SHA1:AFCFE60A6DEB2F00610E99948C6CA3B320382910
                    SHA-256:E0F27CAB03E9DEC34CE99121C81D37CE10F4A30AE64AD570E7003F9B8EEC67BF
                    SHA-512:C053CCBF6E4A9CE908CC353E7481DBE4C333EAA6FAA0F4008E9F4B90507B5C02D9FDCE32F890722545DCD9C54CDBD2FACCC16C98D43DE3D0D2164C8ED1E94F96
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Bug\u00FCn";..var L_January = "Ocak";..var L_February = "\u015Eubat";..var L_March = "Mart";..var L_April = "Nisan";..var L_May = "May\u0131s";..var L_June = "Haziran";..var L_July = "Temmuz";..var L_August = "A\u011Fustos";..var L_September = "Eyl\u00FCl";..var L_October = "Ekim";..var L_November = "Kas\u0131m";..var L_December = "Aral\u0131k";..var L_Su = "Pa";..var L_Mo = "Pt";..var L_Tu = "Sa";..var L_We = "\u00C7a";..var L_Th = "Pe";..var L_Fr = "Cu";..var L_Sa = "Ct";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "aa";..var L_DD = "gg";..var L_BadNumber = "Bu parametre \"Say\u0131\" t\u00FCr\u00FCndedir ve yaln\u0131zca eksi i\u015Fareti, tamsay\u0131lar (\"0-9\"), ta

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\prompting\js\promptengine_strings_zh_TW.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (472), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3781
                    Entropy (8bit):4.978779239900056
                    Encrypted:false
                    SSDEEP:96:59ewup0icnBVGqq5a4KW2bxKRBAoYlP5VfPxrVMP6JP91Pb2Ely8x9BYc0NvNuuG:5gTQxFV0NdPWVD
                    MD5:FD39B4B60188CFF6075BEB177CD19EC4
                    SHA1:E882271227BE37396CFD1B856139EF095EC252F7
                    SHA-256:6AD73C5EAEEA12A42DFD076E6BF0373C0C74279108658FA2ADE8EDC306816356
                    SHA-512:789D1088BE901C66952E72322F27C5A334EA992D93771031AE10B0E4403EEB5625488E59461CA7D0EA03C7A220AAE88AC1FEDB3D2B09B33EE205E59287005FC6
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u4ECA\u5929";..var L_January = "\u4E00\u6708";..var L_February = "\u4E8C\u6708";..var L_March = "\u4E09\u6708";..var L_April = "\u56DB\u6708";..var L_May = "\u4E94\u6708";..var L_June = "\u516D\u6708";..var L_July = "\u4E03\u6708";..var L_August = "\u516B\u6708";..var L_September = "\u4E5D\u6708";..var L_October = "\u5341\u6708";..var L_November = "\u5341\u4E00\u6708";..var L_December = "\u5341\u4E8C\u6708";..var L_Su = "\u9031\u65E5";..var L_Mo = "\u9031\u4E00";..var L_Tu = "\u9031\u4E8C";..var L_We = "\u9031\u4E09";..var L_Th = "\u9031\u56DB";..var L_Fr = "\u9031\u4E94";..var L_Sa = "\u9031\u516D";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\urlreporting\activexviewer.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2309
                    Entropy (8bit):5.5844087773873
                    Encrypted:false
                    SSDEEP:48:1+cHQL75RhRybeunA5h4AuT7n1R8bRHWSFbeF0Lbeo:9ARaeuUgnbS3e+eo
                    MD5:65656E3C6FDDBFA044DD0D1B28B19223
                    SHA1:38005D4178C82B479E451D757350A4C1851B96A5
                    SHA-256:C0AAD2D6803D47766CC627AB1C2404917A0116D2467AA9D7516DBEFE44BE2055
                    SHA-512:D3714F5A5750FADD108ED8EF1B806CE5FF4C177B9350269267A73B28E1DE3FCE7814FB9EFEC3882FA3456A204B772A0056810B932EF205DE6BF9D1AFB67DA450
                    Malicious:false
                    Reputation:low
                    Preview:..function writeActxViewer(sViewerVer, sProductLang, sPreferredViewingLang, bDrillDown, bExport, bDisplayGroupTree, ........bGroupTree, bAnimation, bPrint, bRefresh, bSearch, ........bZoom, bSearchExpert, bSelectExpert, sParamVer) {...document.write("<OBJECT ID=\"CRViewer\"");...document.write("CLASSID=\"CLSID:C0A870C3-66BB-4106-9A25-60A26F3C1DA8\"");...document.write("WIDTH=\"100%\" HEIGHT=\"99%\"");...document.write("CODEBASE=\"" + gPath + viewerPath + "ActiveXControls/ActiveXViewer.cab#Version=" + sViewerVer + "\">");...document.write("<PARAM NAME=\"LocaleID\" VALUE=\"" + sProductLang + "\">");...document.write("<PARAM NAME=\"PreferredViewingLocaleID\" VALUE=\"" + sPreferredViewingLang + "\">");...document.write("<PARAM NAME=\"EnableDrillDown\" VALUE=" + bDrillDown + ">");...document.write("<PARAM NAME=\"EnableExportButton\" VALUE=" + bExport + ">");...document.write("<PARAM NAME=\"DisplayGroupTree\" VALUE=" + bDisplayGroupTree + ">");......document.write("<PARAM NAME=\"EnableGroupT

                    C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\urlreporting\appletviewer.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5500
                    Entropy (8bit):5.1968512208799575
                    Encrypted:false
                    SSDEEP:48:G5Ql10X84U9JR2GU28estjM+G1jPLlRSRN/sRqRef9tykHj5R/RJdTO:GKgXxAJbTAYd4NwqoHjPZJdTO
                    MD5:D6309FAC9312282C85C29D332D59D90D
                    SHA1:975BD58192FA051EEBCF0DFF754FB05B73A03A03
                    SHA-256:FAD7D1059CBCF9F85D8BA1D1E00F117D3684A308D5A1874DE9234A4275A7328D
                    SHA-512:58E0ECFA91C08432A04191A3A6D82D28390E591CD5D2C408CD391D16F590A835B44449FB81D2E93A9DB592D7BC0C18D5E50CA00FF5A61AC4C11899C02345C3CC
                    Malicious:false
                    Reputation:low
                    Preview:function getArchiveParameters(lang)..{.. var resultParameters = "ReportViewer.jar";.. if (!(lang in ["de", "en", "es", "fr", "it", "ja", "ko", "nl", "pt", "sv", "zh_CN", "zh_TW"])).. {.. .resultParameters += ",ReportViewer_" + lang + ".jar";.. }.. return resultParameters;..}....function writeJavaViewer_part1(browser, jdkVer, type, lang, pvLang, rptName, sf, promptOnRefresh, param)..{...document.write("<P align=\"center\">");...if (browser == "msie")...{....document.write("<OBJECT");....document.write("\tclassid=\"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93\"");....document.write("\twidth=\"100%\" height=\"100%\"");....document.write("\tcodebase=\"" + gPath + pluginPath + "#Version=" + jdkVer + "\">");....document.write("<param name=type value=\"" + type + "\">");....document.write("<param name=code value=\"com.crystaldecisions.ReportViewer.ReportViewer\">");....document.write("<param name=codebase value=\"" + gPath + viewerPath + "JavaViewer/\">");....document.write("<

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_da.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23069 bytes, 3 files, at 0x44 +A "PrintControl_res_da.dll" +A "csprintdlg_res_da.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29669
                    Entropy (8bit):7.946307993444019
                    Encrypted:false
                    SSDEEP:384:7LCJbTDnF+1CUlhkR6V/6BTTaohHknP787w2VtPa2+ngBHEJJ2DHh4exZnvnYPLQ:UFWhkRfthEY82VhSn4gS4eTs5J+
                    MD5:A025626D6E7A6FB6B9C81EB0FFF8B57E
                    SHA1:635AF4AC87F71EBDBE062D70FB704C2C282FA788
                    SHA-256:6C37A7CD5828ED4327390E829C3F188102A4D1FB0132FEABA1A4FF460C387F44
                    SHA-512:6C3B3F444F7349656997972DFF0273C79F240D9F486361B5FB08DFEA894A0078926FE1F6BE8A40EB9E8EBC2A3A48BF56D7650DE25523398338A28A30651A0A30
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D( .PrintControl_res_da.dll..5.........D.. .csprintdlg_res_da.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest. .d..-..CK.Z}t.U...t.?HB |)....+.@.".t'$.&.. .%.."i.t...!A.. ..F.W..GP...Xf.....Y.*..a]V........t...z....+...g.J......W..w.....$.B.p].L.!B?..w.....b.9...C...S...a.$..2.n....Z......!.s........iL..V..+..m..I.F....oS.(..z......|qW..X..<...$iJ.%..$(...y..~O..'D..AZ.Oh.<Z/zgj@..c.p..5..C..W.!..4....X.:.....J26.~.ds..........Rcy.....a.GX..-d?a....c..L.s.....~...|.Y..+..(....|..~.K.h1..p+\. >.KM.....E.j....W..65.V4...k.yU...#.O(...d..@......p@...<N..3.N|iC.K.......}.C..a..*W.@..tU.}N......M....'w..>(..0..>Ijr....C.,.W.Bx../....w$....S..L..t...n.........;..cp.......t...L...u.J.\...q.......].....E.W;M..4V..I.....m..M.'.4J..uj........I2.....~.4.3.KORl.j..a...........6.S...0.....y..ap.......a.f.......3,..WN..$.\>...Z.r{l..u..>C..0....F..|.....;^'...^....5.~..{

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_de.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23169 bytes, 3 files, at 0x44 +A "PrintControl_res_de.dll" +A "csprintdlg_res_de.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29769
                    Entropy (8bit):7.945457388094454
                    Encrypted:false
                    SSDEEP:768:qRBSVbS6pu5JlAOkmaqS7t/dKcSjs5JI6:qRYVbS6+lAOkjqSZoY5JI6
                    MD5:2C49C08A3B88CF0A5845775787A85A1A
                    SHA1:EB4B90A7806D6F3E1804E3AA24B17521075F5C57
                    SHA-256:8E4003D13F96CDC4DF78F3998E8C1C9836DDDEC8B1E9A2C0AFDEDA1D4F54FCA7
                    SHA-512:C644931C5A6087658E63770E5A83EC2A3984F0DE709DAEA1A3D2C97AE49EAC2B38F6A2DA3BA48018A59C86BD9298B61D3B82542ED5E07DE7F2FDFEDDC3027A4E
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D. .PrintControl_res_de.dll..7.........D.. .csprintdlg_res_de.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...q..-..CK.Z}t.U...t>:_$!....aaG....u.I....@..t..Jw..v....$ `p..Q.......qp...AAO.Ae....tX.UfEE.....g...z....+...g.J......W..w.......B.p].L.AB?.......b..o{c.A...I....]..6....pXT.].......k...BInn........eB...Z...K.z.b...;.h9.....v.4_<..-Vr..'..v..L.d.....30.]vV..)....w2@..:,L.O...L..Yf.....{.e..CcUgH&.v'..o..)Q.n..5.R....0.R".x.'......x.<.y%rD....h..K..<!$...4..|.......}.......J.9.>8..^.._..>Z..)......k.....p.Z(........]...MK.B. .h."bT..%.P....(.B......aU....U....lc...N.z.........NQV..+....].py.n.f.9.....@k._^.Q..,H....%..#..S.+..Z!.........;..U}..DJ%=.Bz.{..qL<..4..;..cp........Bz..}:.I.:j%.....j..mp....}S.....&.J............&.SI....:5..pYKI......b.c.t..6......}.|....!.cC.M...20..&~&x...}..K5.g...g.........a.T.26E/W.".w...._.x....P.5....3..r.P..I...w........`.l..

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_hu.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23137 bytes, 3 files, at 0x44 +A "PrintControl_res_hu.dll" +A "csprintdlg_res_hu.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29737
                    Entropy (8bit):7.94533295643499
                    Encrypted:false
                    SSDEEP:768:WnvAxytPO1EH2X5z0Mh8HnNLDdkX+Uf8ts5Jc+:amoPieHNfdcfN5Jc+
                    MD5:A1FE70C74CBEC3B116CBEC2CFD52581A
                    SHA1:D13010B799B3B4697EA92099012B325878F4B1E4
                    SHA-256:82F03AB44C80AF7F802DC5C70CC6F12C37DBB6DFFE9869E8D098722EFCB0B593
                    SHA-512:036B690E06A0BC52E76E27E22D6DDEC2414AA1B0A307DAAFC1869EBE4AADF9A13EDF726C4B632F54E99B5222B2E5B5CA7067428F171F4DBDD7F98E3FA657484E
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....aZ......D...........................aZ.................................D* .PrintControl_res_hu.dll..7.........D.. .csprintdlg_res_hu.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest......-..CK.Z{x.U....<:/.../.A...c...."IwB".h...].....NWY].."....5:...q.e...efP./....C.%:..*...F'.8.c.{......og...K.....s.{.=.V.].KR.!...^$....E..?.p.N}!..1......`.&JB..k..}. .Zx....a.s.........L.%............F....7)w..rT....m......q.,..+.{T..1O.2e.b.......+.w3m?!.....Uq....35.g..S8 ...C.NT.!...2....X.d..W.2..A?`..X..d.!.1@...../*."...6@[.^..O..!..D'..g.x...M...g..0..W..a...........Qc&N.V..C|X..,.....z.@.....<.=mJL.h\..;yiM=...../..Bd1/C.....HP.+.<N./.J]/~..{......Po..&. ...5.U...`..tM.}^.......@K._........E..-..C...Z#.5m.b...|G.(.?..)..MH.mp.;......}p.aq..V.......H....;.[G-..u.p.W.p...".%.oI.q..._KcU.n&m...o..T.<..SZ..S..>..5s.~...l.O.....e.[.K.9._U|.......#.GF.O...eh.\I....p..8.b...p..x3.......I..L('d.Y+..#.C.Nn./.....+...N....y]W..I.x....~i....".A.?..Zo

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_ja.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 22865 bytes, 3 files, at 0x44 +A "PrintControl_res_ja.dll" +A "csprintdlg_res_ja.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29465
                    Entropy (8bit):7.9448240640365775
                    Encrypted:false
                    SSDEEP:384:8nfOyFQMGGpGHyJQoWLIBPIfwP6imEtzHGIc2FMZeRwRKnJI02M6Q+Z+S86xWCLQ:oFQrKQot0wP287WeRJI/f2cWCL7s5Jt
                    MD5:A7D7DAF56C725F05AB3397612CF75D52
                    SHA1:BA3979B80C63C6A74134A531D6B264781393A19B
                    SHA-256:8A653B33E78EEC8A895FD291B3D24318F4F985062DD51BD3C4EB5E88E716CAC8
                    SHA-512:77E91AAED00C7E47B337996132010176FD6C9E870F36662249CA46230CF475790476749B170425D1DE729834F515F419F77A995FA229FA9457B3A2D724D0E4C3
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....QY......D...........................QY.................................D. .PrintControl_res_ja.dll..3.........D.. .csprintdlg_res_ja.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest.>....-..CK.Z.|SU..i.6./.R(.....#...@t.i..VR.M!E.K...F...K).X.DD.....A.E..Xf......]?..T.uYeVTtp.N.p.a.y......cg?;..O__..|.9..w.....{H:!......$.3.|....../...7&.4.......EIh.....?..d{+o.b.{(bw-..;. _...=.....`...U..?....W..M..e..S...@;b./.jB.&3..+.yU.$I..c.......hc....{.m?!.....y&&..z.;S.z..;.#...]y?!..*....v'..o..).....U....0.R".........2.y...HQ)@X..-.I..O..a!.D'..})....~...|....+.......~..~.[..1..p.\k!>..L.7...E.j......bO..S+....U......1)....a2........R4$D.}^..:....O.....~......7xu.S.d~..jw.P..lE.cV3......`ks@Z...a....-..b.G.Ed...%!.B.+n.....;..Yy..DL'..B.o.{7.qL<.....u.8.w+...]YNM.{...$..f..:.8..&...w....7..M..a....*.O#....o..t.<.dQZ7.Sc.>....T.._m..?-.8.K..n./=i....;........?:.~.././.C.J.g....C.\..?..=C.-.o+'d. .X.3....iZ.b.!.1........]..`\...z...t.]..>...z...:{..$.7.A

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_nb.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23020 bytes, 3 files, at 0x44 +A "PrintControl_res_nb.dll" +A "csprintdlg_res_nb.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29620
                    Entropy (8bit):7.944295686559783
                    Encrypted:false
                    SSDEEP:768:zifihYIO1EH2XxemoAwbpepMCABIjE8E7Ks5J4:fhYIPmybpepGBqzO5J4
                    MD5:16F210F09239DFD7DF6CBF58B216F094
                    SHA1:F41CF1917EF072E7A6D1BBF292CC2D807BD2E2A3
                    SHA-256:B4A0A0A791C43B24B0EC8B7BC31F16D2A4942D8E4E58D95C31103E3AF89A5906
                    SHA-512:44585C936A8F132846BA029444385DC29CFCF09CD1B22D76A18E8358CE833DA522D1A73EC8ADB62EDE1DC4DD0A2D8C8E46406B8AE9F0243D17BB3D8B1A029E9B
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Y......D............................Y.................................D. .PrintControl_res_nb.dll..7.........D.. .csprintdlg_res_nb.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..W..-..CK.Z}t.U...t>:_$!....aaF....u.I....@..t..Jw..v....| bp.QQ.......qp...A.O.Aa.....tX.EfEE.....E.{....3{v.O*..w....^.w.}....>.J...u.2!..., ....+o.+yd...).,.7.4..#vI..d.....aQ...v9....v....C..%..Y..+...V....k.3..M..oS.(..zo.....|.T..X.'.?...$eJ.%...(.a`>...Sh....d...O.0q>...35.g..S8B.>o(.D..3$.P..F.#..(B.....C).F...l)......!.T^z<.....9"..k...."..D....Lt......l.w.?.g.....C.........._.G..8..p.C|X..,o....v.B.....|.=.jL.lZ....yU....._(..Bd..@...-..HP.......\..c.{....y.S.Qo..f.(+.U....`..lU.cN3......R.../.D.>$..0#%~Ij.......,.V.BdU.....=.|...O'R*....{..{.c.q...%....Q...~...rj!...>..$n.......q\5..6.Kp..).oQ..6.|5.U.x.iG.....g..$..zq....)...$.G.jS..i1.._.Mp.|.K..W..6..g...0..a..&x.|...W.?.<...>.....`..3.....rB..r..0.*.....+...k.A./_...=`(...A...0..!.=c....BNY.r....A~..

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_ru.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23359 bytes, 3 files, at 0x44 +A "PrintControl_res_ru.dll" +A "csprintdlg_res_ru.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29959
                    Entropy (8bit):7.946832457017031
                    Encrypted:false
                    SSDEEP:384:xhcGoyL3yJA02WluyJQoWLIBPIE/3fMnMzp+7Qy/W8sUPcDr8weoRdfFR2spVnYF:TchPQotB3OopRy/bGNRLVs5JfYK
                    MD5:EA343E0BBEE875143A71ED4D5F52E094
                    SHA1:5E4BE67D072AA1C91E23005A7960B1DF2EA4BAA6
                    SHA-256:3616812431FF5CFD728E9F1777D1F0BEB50F25465E7884DBA9F7FCE641146E1B
                    SHA-512:0D593FC77272901576E7212033F5FC631F42B0E01C722E9158D5749066C1447795F6DC88BB090F78AE1B8628FA8E8022C84161D3F809B151F11DDE2BDB432144
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....?[......D...........................?[.................................D. .PrintControl_res_ru.dll..7.........D.. .csprintdlg_res_ru.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..1..-..CK.Z}t.U...t..|....@h..v.X..Z...;!..4.@....t.Ik...........5:.z.8.2...23...:..u.q..:.2+*:8f.8.,..[.....r.....>.T....{.{..}...zI*!...7..r.(.E..?.p.N}1....>.......`...|....l8.K....F..`..Z....8''s..q....*.g.zm|..Q.w.....eJ9*...6.T_<U..Mfr..^.;CR.e.,..@......NK.=Ei?!..)...4Q.M...S5.g..S.B....C......Q.N.E..S,q]........|.ds..`%...( ...y.......Oh..-d...'...3T..I....~..3|....lr.~p.g..]..5}..S.......'.....^5Pv......M....+.\''..."|T.s.P.,.$(.B......aY...}c..G2>..>}..)........uMN^..uk..M..pY...&.9...@K._.HlH..`F.......a..%.......1Z....h>f....!..x....=p.1.(.....8,N.....p..S.....p'q.p........].....I|.<.v..k.X....6...7.~.I.J2.Z..S..>....d.._M..?..8.K..n./.)....;F.......?1.~.././C#.r.g..F..#.L..?.F.=#..o/#d. gi.3......\>...trG|....>].W0.t..*..X..$..u.._...i..@....

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_sk.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23180 bytes, 3 files, at 0x44 +A "PrintControl_res_sk.dll" +A "csprintdlg_res_sk.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29780
                    Entropy (8bit):7.94455014356257
                    Encrypted:false
                    SSDEEP:768:SlicftX1K17RSvlDsKN82IdN4jI/4Ds5J8gYPW:AhI1VKOBdSIA45J8TPW
                    MD5:2CC48612445FCF89C121B17EB0921AFA
                    SHA1:288A1305257E660E1B6AF9D2E8059B71B44BDA79
                    SHA-256:0B44EFCA40E6495E99237D6720F414133EABA6092EDCDE681D9CD3A629F6934C
                    SHA-512:353C63A79FBF4CC11F05D418CD16B6B2BAB102C56ECB21252FD1042110FDBF570B22BC42F42F9E598A11ACC425226F5EDE9C3AAA492C74E2D01FE221062AC069
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Z......D............................Z.................................D+ .PrintControl_res_sk.dll..7.........D.. .csprintdlg_res_sk.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...B..-..CK.Z{x.U...t....../.AX..c...."IwB"....$...]$.....:....""jtpu].A..Gp..T..:(..C.%:..(....c...".9uouUwW>....?c..T....s.u.....H*!......"...|.g..../..7..2.......DIh.|.6./..d[+o..a[0ls.{l.B./....t\a......^...ooR.].~.rG.-G.{C........LLG...i.2-.IH...0....+....~B.;.....LLl..bw.....w.G.gt...9<Qq.d.jw.(.v..b...>^u(E.....-.R.'....../=...|Q......../.9...C...N3}..x...M...'..2..Ws.1....u.~.K..1..p.\. >....&o....z.@.....+.v%.V4...]......Q....B!.......V.R$(..}.....5uN.&.?l.m.Y.+Eo..f. .....U..`..tu.}^3......@k._........E..-..C...Z-..[........<.t"..^7!.....w....=....8,......pW.S.....p'q.........].....I|...w..kh.J.SH;....p?.$O%.......O.e-%Y?.W.b.O.....m.[.K_J|.......#..G.....6.'...p%.3..#..p...E#......w.....3,..PN....\>.._.tr{|..u..^]..0.t..F..|...,......Y+.....X.,.

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_sv.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23022 bytes, 3 files, at 0x44 +A "PrintControl_res_sv.dll" +A "csprintdlg_res_sv.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29622
                    Entropy (8bit):7.945534055856677
                    Encrypted:false
                    SSDEEP:384:gCL8oPSUQos2ImmbVBdBAsSxQ5VES4611oB61g4xRij1r9TOkk00wdGGmxCtWN60:WaSLLbBn5yS9OB94xRiBr9Tng6Ns5JVV
                    MD5:5EDDB41FDB4B4C6DE635A71CBE689F08
                    SHA1:81C55799F300D113E687A0801C2523EAE5DAF3E8
                    SHA-256:CA9C6D2346A50C5664766A012E51636F149F5D0657A65FC5E3042DE516510E57
                    SHA-512:72B70E0D84856EA9ABA5B60C8BCF0EC65D50EA3F40A214811D5A780711DF4A067FC945F8D74F01727026F244BAC1D8A464788538A9257B868DC29C6C058B27A3
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....Y......D............................Y.................................D. .PrintControl_res_sv.dll..5.........D.. .csprintdlg_res_sv.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest..5.s.-..CK.Z}t.U....|t.HB ..i..f.X..Z...;!..4.@..,.t.Ik......"....5:.z\.A..Gp....d.Tv.zPq.........8.,..[.UWuw..3..}R.~..{......{..7...B...K..9D.g.....\.S_.%...O;dr.>..=.....&.:l~_8,.V.&E.`..\.u...$''s..1.......M.6<......f.2Z.*.....1..w5!.......=*v...e.2.1Ca?...ec%.n..'D..!Z.i....h....=......zZW~....3$.P..G.....|....Cf}#..L..H...#...(..x.<.E%RD....h..K..<>$.....w .W.....>...!..{9..e.....|./.K.5f..n.k=..i....q..W-.]p.........A....4..!*...@(D..2....J^........l.x.....].~P.........5..A..uk..].].py.n..f.9./.7...f....}!....).b.[..e...%!.F.#k".%@.....cQ....SH....Mp.;....J..^....n..y.+...N..l...u.Bx\...q.......]...$.I.W;..4V%.f.......$.SH:...:5...pY3'.G.j......./.........U.w.....?<.~l....>.....+....7.n...R..Y4....o.|{9!..9.r.......r.<B~k......W.{t._....;.*!'t.~Hb.u..^......IH.^..

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_th.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 23107 bytes, 3 files, at 0x44 +A "PrintControl_res_th.dll" +A "csprintdlg_res_th.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29707
                    Entropy (8bit):7.9474138625289665
                    Encrypted:false
                    SSDEEP:384:dSGlem+Jeo9u7sAFv5YdX02zePfMnFVEQ1Ub2eLSCyfmYe0fMwTV726fnYPLxsSf:dXz2uadE2uOFVLEDO0YemMwJqIs5JVj
                    MD5:CCC87678C422EE724460F2B1EEA72ADF
                    SHA1:37686A7A6C9C2B41FD632248A7EC79FC5B8D1A21
                    SHA-256:3B970EC2E6F143F90990C672CDCD7D0A52340E3A0935E118BFC717D8CE0D93F1
                    SHA-512:9A3BB5088E78D126F1B68DF1C0512A1FAF0A4F8759CB011A1F0607A699F0B21237DD9F395FF7F6636AC97CE6F02E97F777A60C3CAB8C48F20D5AB4F270E16C60
                    Malicious:false
                    Reputation:low
                    Preview:MSCF....CZ......D...........................CZ.................................D# .PrintControl_res_th.dll..5.........D.. .csprintdlg_res_th.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest.c....-..CK.Z}t.U...t>:_$!....a`G....u.I....@..t..Jw..v....$ `p.QQ.......qp...AEO.Ae.....0.....jt....[.UWuw..3..}R.~..{......{.....TB......9H.g!..O?\yS..#.l.M=hq.6..=..K..&..v?.....U...=....z..b@(....t\b...R..]...okR.].~.zG.-G.{C........J>{.Q...$)S.-...@a?...eg%..B.O.~'...:.....^......N........!...LB.N.A..S......j....A?`..D...O...Py..<x..K..'......0..yBH.3.I..@...............R.9.>8..^.._..>Z..)...z........p.Z(........]...M+.B. .n."bT..%.P.,..(.B......aU...-...{..k.n}...f...z.W5;EY..n.v7w...e...s.!..|Dh....~ymD.C. .3R.f...+N1..bh.,DV+.%@.....cU..:.RI....[...w....=...=8,.....spW.S.....Yp'q.........7.].....I|.:.v..kh.J.SH;....p?.$O%.....8.O.e-%Y?.W.b.O.....m...KoJ|.j..a...........4.'..ap5.3......\..?...=..-.o/'d. .X.3....)z.b.!.......+..]..oa\...zE.....Hb.1...*!.zy......3

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\ActiveXControls\PrintControl_res_zh_CN.cab

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Microsoft Cabinet archive data, many, 22695 bytes, 3 files, at 0x44 +A "PrintControl_res_zh_CN.dll" +A "csprintdlg_res_zh_CN.dll", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):29295
                    Entropy (8bit):7.946479929243456
                    Encrypted:false
                    SSDEEP:384:hhapCErRBGlFt1fxbSjcP3ky1wc06MLiAIQA7NABRPu3F+SF/FMViQ7nYPLxsSJZ:4CuG1Boc/kWwBKA87Nya+mSiUs5JZ
                    MD5:CB6921B2F84D4394AE01F7169B73A8F6
                    SHA1:106D6D6BBD1A4682AEF969B8D099A708DE76DD77
                    SHA-256:7F260DB474C65D687BE0A7FCCA21B3B3B6EEF101ACB324CBA8D2BE612E8ED5C5
                    SHA-512:9F78566E68F9CF0EEE2C0C6052A3748ECBEF00D19421FC38D7176DEFA6CA5F6CF2330A4D656ED1A339ADA12F566331B1D51CFD2049793374DB0C0FBC6FC824A0
                    Malicious:false
                    Reputation:low
                    Preview:MSCF.....X......D............................X.................................D. .PrintControl_res_zh_CN.dll..3.........D.. .csprintdlg_res_zh_CN.dll.N.........U>3e!.Microsoft.VC80.CRT.manifest...%..-..CK.Z.|T...L~L~..@......._~...H2...$........<....7I@.@.QQ...uc...+...E?.Eak...-.J..h.F......w..f..#..m......=.{...{..M.=$..b...eB...Y@....W...s.A.kS....Mih....$.J.v.........J..5..:..../....t\e......^...mkT..~.rG.-G.{}........L....bgH.LS:!IP...\vYY..'...... -..Y...z.;S.z..;.#dh.....#..gH:.v']A.^.H.d..U.J.7.~.ds....^B>`..K...3_P$.%.am....9......0}{.x...M......6..W..q....q..~.[..1...j..A|X..(.....zUC.....\.=mJL-o\..;yie=.."../...d!/C.....p@.)....?/..r..Uy.S.L9.....ol....]Y_.l...JKVv..4A..a.I..4..5a...x...".(6..@H..!Y..+%>.rm.J{]...y._.1+.?....EH.&.w....cpO.....8.w../.]YNM.{..g...f..:.x+...~;.E.Kp..7).j.....8<...?....s..d.Fi.N....\......I..4.../].....$.......?0.~d.............W.?.<w..:..%...`..5.....RB6.r..0.............Nn.-.........B...4MQ.=......`.

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15160
                    Entropy (8bit):5.264435095214407
                    Encrypted:false
                    SSDEEP:384:+7mRHzr647DljsyjAed1i1OBzMaazXh4dYTuXJIP30kgP1Ad1WNfhb9:w+XZ9zMa9dYTuXJiGN5b9
                    MD5:DE5AFCE9F4A3D3E213E27356087D4945
                    SHA1:5699B1A61BFE2B35CB96C0FB6BBB79A2505CE82D
                    SHA-256:734915190969787DE4C227260AC3E31D66B9B56CEAD4469D093CC7D673F9F71D
                    SHA-512:D3A7B6EC44C6E028F7D97DF01E718935671FBB28009898A9712AD0E3A09713F31D0C7343C26430F0125A811E981AA6D01827C21CF304B4577EB5E72AEE79A03A
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til n\u00E6ste side";..var L_bobj_crv_LastPage = "G\u00E5 til sidste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Gruppetr\u00E6";..var L_bobj_crv_DrillUp = "Analyser stigende";..var L_bobj_crv_Refresh = "Opdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigation";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8g efter tekst";..var L_bobj_crv_Export = "Eksporter denne rapport";..var L_bobj_crv_Print = "Udskriv denne rapport";..var L_bobj_crv_TabList = "Faneliste";..var L_bobj_crv_Close = "Luk";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (334), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15935
                    Entropy (8bit):5.2459163383439735
                    Encrypted:false
                    SSDEEP:384:Vsv/6+gyy5dw5RmVjV0Pg7VbQRM+G7FkTPQtP3LhY+uJFSKIT+:g65fIm0Pg7L+G7FkTIldYdTIT+
                    MD5:73D46BFE5A62334C9A003D4A1F330F90
                    SHA1:284704A7D45E94FCF8515E48BCACC0C02F11D677
                    SHA-256:0848B042801E0589DFCBE2E2E9FD83F05807A967EA1C030475012BF6E72366C2
                    SHA-512:CEFDF276C0DD372A797052BCF3DD514A948A1669FE2ADD3245DFC4A59571677BC66F35D028A94BDD03CFEEEE7B9CB4C2500368CCADB1EBC6D18F8CA9F2C1D81F
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hauptbericht";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Zur ersten Seite";..var L_bobj_crv_PrevPage = "Zur vorherigen Seite";..var L_bobj_crv_NextPage = "Zur n\u00E4chsten Seite";..var L_bobj_crv_LastPage = "Zur letzten Seite";..var L_bobj_crv_ParamPanel = "Parameterbereich";..var L_bobj_crv_Parameters = "Parameter";..var L_bobj_crv_GroupTree = "Gruppenstruktur";..var L_bobj_crv_DrillUp = "Drillup";..var L_bobj_crv_Refresh = "Bericht regenerieren";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Seitennavigation";..var L_bobj_crv_SelectPage = "Gehe zu Seite";..var L_bobj_crv_SearchText = "Nach Text suchen";..var L_bobj_crv_Export = "Diesen Bericht exportieren";..var L_bobj_crv_Print = "Diesen Bericht drucken";..var L_bobj_crv_TabList = "Tabulatorliste";..var L_bobj_crv_Close = "Schlie\u00DFen";..var L_bobj_crv_Logo= "Business Objects-Logo";..var L_bobj_crv_FileMenu

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_hu.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (497), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17978
                    Entropy (8bit):5.4435378191305075
                    Encrypted:false
                    SSDEEP:384:sqzNjZWlUof8Rt63OAgofM8eC10hXPC0h1QMvO7:TjmlkRs3O/18eC10h/p1Q8O7
                    MD5:B82A88F329450C2CD064BDE993CA9134
                    SHA1:2151BEA07042FCA7772A977D35771443E7624801
                    SHA-256:3224B36E661B74F103FD78DC5F1B0B8C4D83A4D01EE8D8871C06133456A56757
                    SHA-512:E18163AF0B88EEF602D3CF42FFE9E39191AD0617BB2FB0F6934C4717D3E1B9247A100166BC7655907CB7F2E6EC1C25085EA4CDA0BCA29ABD22810F776FDC31B2
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "F\u0151jelent\u00E9s";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ugr\u00E1s az els\u0151 oldalra";..var L_bobj_crv_PrevPage = "Ugr\u00E1s az el\u0151z\u0151 oldalra";..var L_bobj_crv_NextPage = "Ugr\u00E1s a k\u00F6vetkez\u0151 oldalra";..var L_bobj_crv_LastPage = "Ugr\u00E1s az utols\u00F3 oldalra";..var L_bobj_crv_ParamPanel = "Param\u00E9terpanel";..var L_bobj_crv_Parameters = "Param\u00E9terek";..var L_bobj_crv_GroupTree = "Csoportfa";..var L_bobj_crv_DrillUp = "Fel\u00E9p\u00EDt\u00E9s";..var L_bobj_crv_Refresh = "Jelent\u00E9s friss\u00EDt\u00E9se";..var L_bobj_crv_Zoom = "M\u00E9retv\u00E1ltoztat\u00E1s";..var L_bobj_crv_PageNav = "Oldalnavig\u00E1ci\u00F3";..var L_bobj_crv_SelectPage = "Ugr\u00E1s az oldalra";..var L_bobj_crv_SearchText = "Sz\u00F6veg keres\u00E9se";..var L_bobj_crv_Export = "A jelent\u00E9s export\u00E1l\u00E1sa";..var L_bobj_crv_Print = "A jelent\u00

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_ja.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (566), with CRLF line terminators
                    Category:dropped
                    Size (bytes):22507
                    Entropy (8bit):5.512025878260368
                    Encrypted:false
                    SSDEEP:384:OB5kXghHULRLcuUHR4mjBXINITzcJnlt0eUZSQB:c5kQmLclRfjBRz4n0tVB
                    MD5:13DAFAFAE10CDD961B715186434C66D5
                    SHA1:F572F338ACC2899DFACAED577361DA705AC7DB58
                    SHA-256:6E524631D08C8615FACF13B821771BD2779BB4E84AF3CD4711C8B7B1D90BCE6D
                    SHA-512:65D731396AF61017CDBCA611EC6931DAD1B49B289171C5013C089085924B07261FAE710CF43DD2270130AB8FE88E98E58B6A104BDABA848D288F2CE23A54DFD4
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u30E1\u30A4\u30F3\u30EC\u30DD\u30FC\u30C8";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u6700\u521D\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_PrevPage = "\u524D\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_NextPage = "\u6B21\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_LastPage = "\u6700\u5F8C\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_ParamPanel = "\u30D1\u30E9\u30E1\u30FC\u30BF\u30D1\u30CD\u30EB";..var L_bobj_crv_Parameters = "\u30D1\u30E9\u30E1\u30FC\u30BF";..var L_bobj_crv_GroupTree = "\u30B0\u30EB\u30FC\u30D7\u30C4\u30EA\u30FC";..var L_bobj_crv_DrillUp = "\u30C9\u30EA\u30EB\u30A2\u30C3\u30D7";..var L_bobj_crv_Refresh = "\u30EC\u30DD\u30FC\u30C8\u3092\u6700\u65B0\u8868\u793A";..var L_bobj_crv_Zoom = "\u30BA\u30FC\u30E0";..var L_bobj_crv_PageNav = "\u30DA\u30FC\u30B8\u306E\u30CA\u30D3\u30B2\u30FC\u30C8";..var L_bobj_crv_SelectPage = "\u6307\u5B9A\u306E\u30D

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (319), with CRLF line terminators
                    Category:dropped
                    Size (bytes):14884
                    Entropy (8bit):5.217502031367176
                    Encrypted:false
                    SSDEEP:384:+7vR0/pJ7E5lLvapDbE4u+9Wr6XTYTAeMJxoo0FP3Ewe2o3bMbGcBm:w+/P++9Wr6jYnMJ/0dd0rMtBm
                    MD5:AF7FC089EF18B38C352C5A7584D9CE97
                    SHA1:805D0093B9231A4464CFA22996A2427BADC72C53
                    SHA-256:66ED19E5B6A23E3A23E152A1A48113097C73DEDA4DE5CD637416EEBD4C586E6E
                    SHA-512:66358B4A8FAD534F9217D45313A14BAA6F3405C7E0C2120915F83E61D0FF2C690B7B7A5BC23C75B8ED20B264232F2748CADDBA49B084D6D1EC5E1FB78053F52E
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til neste side";..var L_bobj_crv_LastPage = "G\u00E5 til siste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametere";..var L_bobj_crv_GroupTree = "Gruppetre";..var L_bobj_crv_DrillUp = "Analyser opp";..var L_bobj_crv_Refresh = "Oppdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigering";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8k etter tekst";..var L_bobj_crv_Export = "Eksporter denne rapporten";..var L_bobj_crv_Print = "Skriv ut denne rapporten";..var L_bobj_crv_TabList = "Tab.liste";..var L_bobj_crv_Close = "Lukke";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj_crv_Fi

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_ru.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (1202), with CRLF line terminators
                    Category:dropped
                    Size (bytes):37120
                    Entropy (8bit):4.741125891484605
                    Encrypted:false
                    SSDEEP:192:nMxifluvgJ/bVaZduW2LsOE+d1Cz0ZNn1imHnCUpZBbpZBD62nLs6YnLp36o/wCP:nJAqdJSjRuOxUJCQ7WDjoaeE
                    MD5:F88B8F08C9FA2C835C163A4CBC7172EC
                    SHA1:E4D97B66F785289BBAEC62826F71E3DF6A356A95
                    SHA-256:A280A02CB79C374D244F3A584BA0D4C3F76667ECF8D656E75C48D55DF0CF433D
                    SHA-512:8D2AEA0F039546EB89F8B550E0977AEE7FBADA62015D5E726530FC6DF431A5617DD80E59A284A8DBE7CB093B24389BA5832CCD9D3D82AB6F6CD361579999D65D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0413\u043B\u0430\u0432\u043D\u044B\u0439 \u043E\u0442\u0447\u0435\u0442";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u0435\u0440\u0432\u043E\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_PrevPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u0440\u0435\u0434\u044B\u0434\u0443\u0449\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_NextPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u0441\u043B\u0435\u0434\u0443\u044E\u0449\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_LastPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u043E\u0441\u043B\u0435\u0434\u043D\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_ParamPanel = "\u041F\u0430\u043D\u0435\u043B\u044C \u043F\u

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (349), with CRLF line terminators
                    Category:dropped
                    Size (bytes):17003
                    Entropy (8bit):5.430365947357114
                    Encrypted:false
                    SSDEEP:384:AsxYAEiSPwicBZ0lQfMysL5mAPC0MjT1jTkQ+G1g:eAE/wjBZ0lAMyQ5m6E/1/Tt1g
                    MD5:C1E82FFE8EA555E07B884595EA0B74E9
                    SHA1:CB4BAC9F631C2F0380B75AEC11F6AF8A0972971B
                    SHA-256:9D363FB822AD7CB322778CCAC481145F2CDFC896DD8D1F7D370F94EA78FF3825
                    SHA-512:7AC6EBE78C3E083846693AEDC5221BF0AB6884B5975531ACBDA2287786BAFFE591E6CB4CA353C0842E93FDE620BB2C569D37B116DC0F5A44589A029D4FEEEF22
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\uFEFFHlavn\u00E1 zostava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Prejs\u0165 na prv\u00FA stranu";..var L_bobj_crv_PrevPage = "Prejs\u0165 na predch\u00E1dzaj\u00FAcu stranu";..var L_bobj_crv_NextPage = "Prejs\u0165 na nasleduj\u00FAcu stranu";..var L_bobj_crv_LastPage = "Prejs\u0165 na posledn\u00FA stranu";..var L_bobj_crv_ParamPanel = "Panel parametrov";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Strom skup\u00EDn";..var L_bobj_crv_DrillUp = "Prejs\u0165 na vy\u0161\u0161iu \u00FArove\u0148";..var L_bobj_crv_Refresh = "Obnovi\u0165 zostavu";..var L_bobj_crv_Zoom = "Lupa";..var L_bobj_crv_PageNav = "Navig\u00E1cia strany";..var L_bobj_crv_SelectPage = "Prejs\u0165 na stranu";..var L_bobj_crv_SearchText = "Vyh\u013Eada\u0165 text";..var L_bobj_crv_Export = "Exportova\u0165 t\u00FAto zostavu";..var L_bobj_crv_Print = "Tla\u010Di\u0165 t\u00FAto

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_sv.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (402), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15950
                    Entropy (8bit):5.312254793756838
                    Encrypted:false
                    SSDEEP:384:YORbbTOq4zXmtO17FKNuEhgzZNTLOK2PV9P30FRj71m:lbTYz7FKNutzXLOK2PV1i1m
                    MD5:452EB290E37529C52BB4A399110447DB
                    SHA1:70BE79438FDDB343484199BB8454535A2474BA98
                    SHA-256:9499AB3DBCC7079BCA3A603C58E79B7131A2D804629BD90CEAF379EBAC0A7F09
                    SHA-512:6D2FC654A50141C99763B5F3CB54804E81C2B8BF5F16E59DEDB40210D69C504D2BEC8C693923EB75935082C1096BD67975F458A440A95D5054B663DE7BF4A16D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Huvudrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 till f\u00F6rsta sidan";..var L_bobj_crv_PrevPage = "G\u00E5 till f\u00F6reg\u00E5ende sida";..var L_bobj_crv_NextPage = "G\u00E5 till n\u00E4sta sida";..var L_bobj_crv_LastPage = "G\u00E5 till sista sidan";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametrar";..var L_bobj_crv_GroupTree = "Grupptr\u00E4d";..var L_bobj_crv_DrillUp = "Drill-up";..var L_bobj_crv_Refresh = "Uppdatera rapport";..var L_bobj_crv_Zoom = "Zooma";..var L_bobj_crv_PageNav = "Sidnavigering";..var L_bobj_crv_SelectPage = "G\u00E5 till sida";..var L_bobj_crv_SearchText = "S\u00F6k efter text";..var L_bobj_crv_Export = "Exportera den h\u00E4r rapporten";..var L_bobj_crv_Print = "Skriv ut den h\u00E4r rapporten";..var L_bobj_crv_TabList = "Tabblista";..var L_bobj_crv_Close = "St\u00E4ng";..var L_bobj_crv_Logo=

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (1077), with CRLF line terminators
                    Category:dropped
                    Size (bytes):35492
                    Entropy (8bit):4.921648304142107
                    Encrypted:false
                    SSDEEP:768:YaKR2qxRgnyWxeMWP3WPJKXkTRgYHKh0kxPt4Pd4P9ki3:YaKR2qxRgnyWxeqKXcHi/kG
                    MD5:7896E27DA1049818A1EA1622D76B28B6
                    SHA1:F5AB501BC28D03DEFBEDCAA9BC83F302EC1CCF9B
                    SHA-256:FFD2141D3B81507C1AA45FE0A6DBA016B9D143BC83537673560E205357E7C7C7
                    SHA-512:2AACC4D764CF7B70D4B9027448A67D7333C6C9601C4861D04794F55166130485A31F691250231243AC890DC3A294BC7E97D92ABE2B6230DB11ACDFF31EAE7A2E
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0E23\u0E32\u0E22\u0E07\u0E32\u0E19\u0E2B\u0E25\u0E31\u0E01";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E41\u0E23\u0E01";..var L_bobj_crv_PrevPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E01\u0E48\u0E2D\u0E19";..var L_bobj_crv_NextPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E16\u0E31\u0E14\u0E44\u0E1B";..var L_bobj_crv_LastPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E2A\u0E38\u0E14\u0E17\u0E49\u0E32\u0E22";..var L_bobj_crv_ParamPanel = "\u0E1E\u0E32\u0E40\u0E19\u0E25\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_Parameters = "\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_GroupTree = "\u0E42\u0E04\u0E23\u0E07\u0E2A\u0E23\u0E49\u0E32\u0E07\u0E01\u0E25\u0E38\u0E48\u0E21";..var L_bobj_cr

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\allStrings_zh_CN.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:Unicode text, UTF-8 text, with very long lines (540), with CRLF line terminators
                    Category:dropped
                    Size (bytes):18295
                    Entropy (8bit):5.7475992194635195
                    Encrypted:false
                    SSDEEP:384:z+lt+5tOoONlg7r3Hs6fpcuE/RANdLB2oxhvrgzTRq9IE:CTetOoO/g7r3Hs6fpcHRM3xhvrgzTs9L
                    MD5:55CC166862F450145DC19E7648E12CED
                    SHA1:7959A97D14E9D75870AB58140D36A4F1B5ED56F1
                    SHA-256:31E7E3EC392067698DE90D6DB8312FF70B399AB95E65148E363C9384FEE4B70C
                    SHA-512:A1E2700F1080B12B867439B57656964AEA5859612AF5F716FD72BAE21586B290521CE3AEAB44B3E8AA70242C0FFF12C94D9F993CAD78C33BF0A18E0AA0DD1EFD
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u4E3B\u62A5\u8868";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u8F6C\u5230\u7B2C\u4E00\u9875";..var L_bobj_crv_PrevPage = "\u8F6C\u5230\u4E0A\u4E00\u9875";..var L_bobj_crv_NextPage = "\u8F6C\u5230\u4E0B\u4E00\u9875";..var L_bobj_crv_LastPage = "\u8F6C\u5230\u6700\u540E\u4E00\u9875";..var L_bobj_crv_ParamPanel = "\u53C2\u6570\u9762\u677F";..var L_bobj_crv_Parameters = "\u53C2\u6570";..var L_bobj_crv_GroupTree = "\u7EC4\u6811";..var L_bobj_crv_DrillUp = "\u5411\u4E0A\u94BB\u53D6";..var L_bobj_crv_Refresh = "\u5237\u65B0\u62A5\u8868";..var L_bobj_crv_Zoom = "\u7F29\u653E";..var L_bobj_crv_PageNav = "\u9875\u9762\u5BFC\u822A";..var L_bobj_crv_SelectPage = "\u8F6C\u5230\u9875";..var L_bobj_crv_SearchText = "\u641C\u7D22\u6587\u672C";..var L_bobj_crv_Export = "\u5BFC\u51FA\u6B64\u62A5\u8868";..var L_bobj_crv_Print = "\u6253\u5370\u6B64\u62A5\u8868";..var L_bobj_crv_TabList = "\u900

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):7937
                    Entropy (8bit):5.158952087234029
                    Encrypted:false
                    SSDEEP:192:+732RiYXJ9r6lC7DljsykcJAXj613N1i1a9giGeh5MHoJswIzhsyR0:+7mRHzr647DljsyjAed1i1OBzMaazX0
                    MD5:06A7597FE857112C336958F8F3548180
                    SHA1:C12D8B16934F712D3199C84717D79DBEA1DA5464
                    SHA-256:58C8636B61717A26D08E54B25A68C6672E2B6B9576E60827A8D8E8431B13C314
                    SHA-512:AEF4C6FF2B0E8961EE2B20D1401BD6E9BE7B4FCA3B2370D69C9AD4E5E1364C0DB799140E3A0B0278F04606F8D4DCDC64E65806BC4B72BCFC7E7D0E4929EBFE33
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til n\u00E6ste side";..var L_bobj_crv_LastPage = "G\u00E5 til sidste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Gruppetr\u00E6";..var L_bobj_crv_DrillUp = "Analyser stigende";..var L_bobj_crv_Refresh = "Opdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigation";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8g efter tekst";..var L_bobj_crv_Export = "Eksporter denne rapport";..var L_bobj_crv_Print = "Udskriv denne rapport";..var L_bobj_crv_TabList = "Faneliste";..var L_bobj_crv_Close = "Luk";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (328), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8417
                    Entropy (8bit):5.171262518673541
                    Encrypted:false
                    SSDEEP:192:VSfzv/SSmfVIgyyKkL5/CNCg3Mf6L5ZDmD0ujV4NCEg5sm4IC+uyvxu:Vsv/6+gyy5dw5RmVjV0Pg7Vc
                    MD5:C79FC661511A86FD88EC452F6458F3C1
                    SHA1:65A01F2C5ADD3500808EC507026C9043EBDB524A
                    SHA-256:0AE409D067B3265D315E6B4F94DF70E29F1D94D2F9EBD35547150810874D3831
                    SHA-512:E51D2A6D2562DD7838011F190DFD6912E046AEBDF87C06DEB74A7B7AD601C3C7224E88E16B00BC7B6644626AF08CBB363602A27CC08FE094E8AAF5310D06BD2B
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hauptbericht";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Zur ersten Seite";..var L_bobj_crv_PrevPage = "Zur vorherigen Seite";..var L_bobj_crv_NextPage = "Zur n\u00E4chsten Seite";..var L_bobj_crv_LastPage = "Zur letzten Seite";..var L_bobj_crv_ParamPanel = "Parameterbereich";..var L_bobj_crv_Parameters = "Parameter";..var L_bobj_crv_GroupTree = "Gruppenstruktur";..var L_bobj_crv_DrillUp = "Drillup";..var L_bobj_crv_Refresh = "Bericht regenerieren";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Seitennavigation";..var L_bobj_crv_SelectPage = "Gehe zu Seite";..var L_bobj_crv_SearchText = "Nach Text suchen";..var L_bobj_crv_Export = "Diesen Bericht exportieren";..var L_bobj_crv_Print = "Diesen Bericht drucken";..var L_bobj_crv_TabList = "Tabulatorliste";..var L_bobj_crv_Close = "Schlie\u00DFen";..var L_bobj_crv_Logo= "Business Objects-Logo";..var L_bobj_crv_FileMenu

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_hu.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (497), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9844
                    Entropy (8bit):5.253578354854952
                    Encrypted:false
                    SSDEEP:192:sKTzNLPhBNBmvR4PulUk9xy4Ww8Rtyr3O2A9hbtDagQr6yX1:sqzNjZWlUof8Rt63OAgo1
                    MD5:BD85F9E96F447FE79E6B2259082948BD
                    SHA1:4F57DE5925B89C03DE07EDBD76F604BF211F9685
                    SHA-256:CFF23037EEFBDD129B332D487A3B27E5FE23EA6427A13440874419FBF131EACB
                    SHA-512:8B49ACB964A74B35EC9E85856BB172090635382A875013F188F8C135E85553817A3AE34DAFFBBF9A8ADB8D0B7968E8AEEAB241F9B2072674D195EBB3AAA99B7C
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "F\u0151jelent\u00E9s";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Ugr\u00E1s az els\u0151 oldalra";..var L_bobj_crv_PrevPage = "Ugr\u00E1s az el\u0151z\u0151 oldalra";..var L_bobj_crv_NextPage = "Ugr\u00E1s a k\u00F6vetkez\u0151 oldalra";..var L_bobj_crv_LastPage = "Ugr\u00E1s az utols\u00F3 oldalra";..var L_bobj_crv_ParamPanel = "Param\u00E9terpanel";..var L_bobj_crv_Parameters = "Param\u00E9terek";..var L_bobj_crv_GroupTree = "Csoportfa";..var L_bobj_crv_DrillUp = "Fel\u00E9p\u00EDt\u00E9s";..var L_bobj_crv_Refresh = "Jelent\u00E9s friss\u00EDt\u00E9se";..var L_bobj_crv_Zoom = "M\u00E9retv\u00E1ltoztat\u00E1s";..var L_bobj_crv_PageNav = "Oldalnavig\u00E1ci\u00F3";..var L_bobj_crv_SelectPage = "Ugr\u00E1s az oldalra";..var L_bobj_crv_SearchText = "Sz\u00F6veg keres\u00E9se";..var L_bobj_crv_Export = "A jelent\u00E9s export\u00E1l\u00E1sa";..var L_bobj_crv_Print = "A jelent\u00

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_ja.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (566), with CRLF line terminators
                    Category:dropped
                    Size (bytes):13185
                    Entropy (8bit):4.93443258496511
                    Encrypted:false
                    SSDEEP:192:OFL46VogSXM7DmU7UU7bkLt3LLWp41cuh:OB5kXghHULRLcuh
                    MD5:23679344C82B35FD5C732524396779C9
                    SHA1:644CE991C51EED623C0DEAE7A87648D7FD30EAD6
                    SHA-256:C61FAAA57FF870DB1BAC954F0E4641D8DAE640C89063C01355214373AAE42F30
                    SHA-512:84F0D886E8628D34C8131754CB0C9483C38CED1E0029BFA69B54A0934D2D3EACAD346FC097BD7F132008435B426A9FC25DF5F911043426451D51B54E03B5EF10
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u30E1\u30A4\u30F3\u30EC\u30DD\u30FC\u30C8";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u6700\u521D\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_PrevPage = "\u524D\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_NextPage = "\u6B21\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_LastPage = "\u6700\u5F8C\u306E\u30DA\u30FC\u30B8\u3078";..var L_bobj_crv_ParamPanel = "\u30D1\u30E9\u30E1\u30FC\u30BF\u30D1\u30CD\u30EB";..var L_bobj_crv_Parameters = "\u30D1\u30E9\u30E1\u30FC\u30BF";..var L_bobj_crv_GroupTree = "\u30B0\u30EB\u30FC\u30D7\u30C4\u30EA\u30FC";..var L_bobj_crv_DrillUp = "\u30C9\u30EA\u30EB\u30A2\u30C3\u30D7";..var L_bobj_crv_Refresh = "\u30EC\u30DD\u30FC\u30C8\u3092\u6700\u65B0\u8868\u793A";..var L_bobj_crv_Zoom = "\u30BA\u30FC\u30E0";..var L_bobj_crv_PageNav = "\u30DA\u30FC\u30B8\u306E\u30CA\u30D3\u30B2\u30FC\u30C8";..var L_bobj_crv_SelectPage = "\u6307\u5B9A\u306E\u30D

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (319), with CRLF line terminators
                    Category:dropped
                    Size (bytes):7703
                    Entropy (8bit):5.102177220270636
                    Encrypted:false
                    SSDEEP:192:+7ugRdtQHbDSSpJ7E5lLcZxmapDbHOD4Xe+9w+on9rgdX/sSYTf:+7vR0/pJ7E5lLvapDbE4u+9Wr6XTYTf
                    MD5:C48C296E39EE440CA3C7127061111CB8
                    SHA1:7B1DF510332B18826B33CCA072B7195D5569D06B
                    SHA-256:325161DD2324A06127DA272BDE6826E50A0AAA60E590F9820BD83E82643924B4
                    SHA-512:D9E346721C82251C2C18F47D94D3A16DE43A4074830F00E82F6C289E3DE78DEA47FDCCAE9348C4AE257F03035AEF4B46C444D752818CF39648C1E5561AD782B4
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Hovedrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 til f\u00F8rste side";..var L_bobj_crv_PrevPage = "G\u00E5 til forrige side";..var L_bobj_crv_NextPage = "G\u00E5 til neste side";..var L_bobj_crv_LastPage = "G\u00E5 til siste side";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametere";..var L_bobj_crv_GroupTree = "Gruppetre";..var L_bobj_crv_DrillUp = "Analyser opp";..var L_bobj_crv_Refresh = "Oppdater rapport";..var L_bobj_crv_Zoom = "Zoom";..var L_bobj_crv_PageNav = "Sidenavigering";..var L_bobj_crv_SelectPage = "G\u00E5 til side";..var L_bobj_crv_SearchText = "S\u00F8k etter tekst";..var L_bobj_crv_Export = "Eksporter denne rapporten";..var L_bobj_crv_Print = "Skriv ut denne rapporten";..var L_bobj_crv_TabList = "Tab.liste";..var L_bobj_crv_Close = "Lukke";..var L_bobj_crv_Logo= "Business Objects-logo";..var L_bobj_crv_Fi

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_ru.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1202), with CRLF line terminators
                    Category:dropped
                    Size (bytes):22412
                    Entropy (8bit):4.147838289979693
                    Encrypted:false
                    SSDEEP:192:nMxifluvgJ/bVaZduW2LsOE+d1Cz0ZNn1imHnCUpZBbpZBD62nLs6YnLp36o/wC1:nJAqdJSjRP
                    MD5:13287934E9786B67F19C208CA810A17E
                    SHA1:2DC708917F65223D198927A064BCC0AF71ADE3EA
                    SHA-256:25A2C68F49039AF594D2FC1A12F215B8358232B020B974D1E67C2FEB4C96A31B
                    SHA-512:CCDE151D3A532F21FE98E6270B41A5D7107126B347E3B71884DF6C1753D2D198F7AC044357DEFAC41979F62D3500D14DA538365FFE18FE2FD632572F49E292E3
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0413\u043B\u0430\u0432\u043D\u044B\u0439 \u043E\u0442\u0447\u0435\u0442";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u0435\u0440\u0432\u043E\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_PrevPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u0440\u0435\u0434\u044B\u0434\u0443\u0449\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_NextPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u0441\u043B\u0435\u0434\u0443\u044E\u0449\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_LastPage = "\u041F\u0435\u0440\u0435\u0439\u0442\u0438 \u043A \u043F\u043E\u0441\u043B\u0435\u0434\u043D\u0435\u0439 \u0441\u0442\u0440\u0430\u043D\u0438\u0446\u0435";..var L_bobj_crv_ParamPanel = "\u041F\u0430\u043D\u0435\u043B\u044C \u043F\u

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (349), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9076
                    Entropy (8bit):5.2591468705529785
                    Encrypted:false
                    SSDEEP:192:AnvFhAlxByovUMaf/4oiSPwftUzcBJB8I9sO0rPBo:AsxYAEiSPwicBZ0lo
                    MD5:5286FBBAF3C05A494DBC765605711059
                    SHA1:DCD5BF161A9E4968DE3E561E367DA7A4196DFAB8
                    SHA-256:1B4AA854B4928456B658E0A1D96547F84C0FDCE5EFDDC3705C793AD1B104548B
                    SHA-512:E226950BFE5B692A5DE68772A824CA8399F2E862485561E439347A32846EE6C752DE80430598CA932DCCF25F484523481D865CE39757412B179BDBA609DEA170
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\uFEFFHlavn\u00E1 zostava";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "Prejs\u0165 na prv\u00FA stranu";..var L_bobj_crv_PrevPage = "Prejs\u0165 na predch\u00E1dzaj\u00FAcu stranu";..var L_bobj_crv_NextPage = "Prejs\u0165 na nasleduj\u00FAcu stranu";..var L_bobj_crv_LastPage = "Prejs\u0165 na posledn\u00FA stranu";..var L_bobj_crv_ParamPanel = "Panel parametrov";..var L_bobj_crv_Parameters = "Parametre";..var L_bobj_crv_GroupTree = "Strom skup\u00EDn";..var L_bobj_crv_DrillUp = "Prejs\u0165 na vy\u0161\u0161iu \u00FArove\u0148";..var L_bobj_crv_Refresh = "Obnovi\u0165 zostavu";..var L_bobj_crv_Zoom = "Lupa";..var L_bobj_crv_PageNav = "Navig\u00E1cia strany";..var L_bobj_crv_SelectPage = "Prejs\u0165 na stranu";..var L_bobj_crv_SearchText = "Vyh\u013Eada\u0165 text";..var L_bobj_crv_Export = "Exportova\u0165 t\u00FAto zostavu";..var L_bobj_crv_Print = "Tla\u010Di\u0165 t\u00FAto

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_sv.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (389), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8397
                    Entropy (8bit):5.191545079838372
                    Encrypted:false
                    SSDEEP:192:YVwRJxH7TOq4zXmjpUT1oLeFKKR+uEXm3sB6:YORbbTOq4zXmtO17FKNuEu
                    MD5:8012A47844A69DB2A60F711DCA54C6DD
                    SHA1:B3CE9004DD9E28CBE057A61225629BE9DA048543
                    SHA-256:5871801061DFBFC2E2EF581211686AD34723DA3EA4CFC546A859DC70825C938C
                    SHA-512:417EF4DE9A46535D1B8380C89B3F96FD41B5839E8ACD9BF95839357850F75A42EF2C23452846A40A73B6400B023255F33466EC1BE6CBA628719A17BFD74A8F43
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "Huvudrapport";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "G\u00E5 till f\u00F6rsta sidan";..var L_bobj_crv_PrevPage = "G\u00E5 till f\u00F6reg\u00E5ende sida";..var L_bobj_crv_NextPage = "G\u00E5 till n\u00E4sta sida";..var L_bobj_crv_LastPage = "G\u00E5 till sista sidan";..var L_bobj_crv_ParamPanel = "Parameterpanel";..var L_bobj_crv_Parameters = "Parametrar";..var L_bobj_crv_GroupTree = "Grupptr\u00E4d";..var L_bobj_crv_DrillUp = "Drill-up";..var L_bobj_crv_Refresh = "Uppdatera rapport";..var L_bobj_crv_Zoom = "Zooma";..var L_bobj_crv_PageNav = "Sidnavigering";..var L_bobj_crv_SelectPage = "G\u00E5 till sida";..var L_bobj_crv_SearchText = "S\u00F6k efter text";..var L_bobj_crv_Export = "Exportera den h\u00E4r rapporten";..var L_bobj_crv_Print = "Skriv ut den h\u00E4r rapporten";..var L_bobj_crv_TabList = "Tabblista";..var L_bobj_crv_Close = "St\u00E4ng";..var L_bobj_crv_Logo=

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1077), with CRLF line terminators
                    Category:dropped
                    Size (bytes):20391
                    Entropy (8bit):4.331804586698231
                    Encrypted:false
                    SSDEEP:384:437OKR2qxRgnGUE3GxBIMWP3WPEWXtKX9:YaKR2qxRgnyWxeMWP3WPJKX9
                    MD5:4589D7F673E3DAA9C94D7F0ACF3ED6B0
                    SHA1:D0D4CE3F5B2140104DEAE77877095BFADD0FC496
                    SHA-256:0F092591DD7F6AB2B623C271045CE674F33D26E80F8645AF1B8FAD824248D800
                    SHA-512:F4CBFC6AE66B3E8506E902F8AFAA5311CE6805A3221508D8E01F2EADF505BEF136EF2780D47BC6F6201DE80D6CB683224513DDECD0788445C867A5B4844021DA
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u0E23\u0E32\u0E22\u0E07\u0E32\u0E19\u0E2B\u0E25\u0E31\u0E01";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E41\u0E23\u0E01";..var L_bobj_crv_PrevPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E01\u0E48\u0E2D\u0E19";..var L_bobj_crv_NextPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E16\u0E31\u0E14\u0E44\u0E1B";..var L_bobj_crv_LastPage = "\u0E44\u0E1B\u0E17\u0E35\u0E48\u0E2B\u0E19\u0E49\u0E32\u0E2A\u0E38\u0E14\u0E17\u0E49\u0E32\u0E22";..var L_bobj_crv_ParamPanel = "\u0E1E\u0E32\u0E40\u0E19\u0E25\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_Parameters = "\u0E1E\u0E32\u0E23\u0E32\u0E21\u0E34\u0E40\u0E15\u0E2D\u0E23\u0E4C";..var L_bobj_crv_GroupTree = "\u0E42\u0E04\u0E23\u0E07\u0E2A\u0E23\u0E49\u0E32\u0E07\u0E01\u0E25\u0E38\u0E48\u0E21";..var L_bobj_cr

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\crviewer\strings_zh_CN.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (540), with CRLF line terminators
                    Category:dropped
                    Size (bytes):10128
                    Entropy (8bit):5.225151851255563
                    Encrypted:false
                    SSDEEP:192:z9Yltmf5tGDoONlg7BAExxHEBsThX3HrQeLUWpc+:z+lt+5tOoONlg7r3Hs6fpc+
                    MD5:61155F39919ACCDFCB81FC614E8652DC
                    SHA1:B1B92892AAC2E908D6BE05BDB202F8DC0ECEF164
                    SHA-256:9EFF35BDF26A7ADAA91AD743B2166E6A9D694AF2A6D8FA719DA73A878F8621D8
                    SHA-512:B792D1C452F60F5AF775FC74264A90C53AA854F233803DE4AD96EEF69AA7C9D5AACE7A831180613777293AE93BE4B1ECDEC75AE402A1A19821A6E0449A435AFF
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....var L_bobj_crv_MainReport = "\u4E3B\u62A5\u8868";..// Viewer Toolbar tooltips..var L_bobj_crv_FirstPage = "\u8F6C\u5230\u7B2C\u4E00\u9875";..var L_bobj_crv_PrevPage = "\u8F6C\u5230\u4E0A\u4E00\u9875";..var L_bobj_crv_NextPage = "\u8F6C\u5230\u4E0B\u4E00\u9875";..var L_bobj_crv_LastPage = "\u8F6C\u5230\u6700\u540E\u4E00\u9875";..var L_bobj_crv_ParamPanel = "\u53C2\u6570\u9762\u677F";..var L_bobj_crv_Parameters = "\u53C2\u6570";..var L_bobj_crv_GroupTree = "\u7EC4\u6811";..var L_bobj_crv_DrillUp = "\u5411\u4E0A\u94BB\u53D6";..var L_bobj_crv_Refresh = "\u5237\u65B0\u62A5\u8868";..var L_bobj_crv_Zoom = "\u7F29\u653E";..var L_bobj_crv_PageNav = "\u9875\u9762\u5BFC\u822A";..var L_bobj_crv_SelectPage = "\u8F6C\u5230\u9875";..var L_bobj_crv_SearchText = "\u641C\u7D22\u6587\u672C";..var L_bobj_crv_Export = "\u5BFC\u51FA\u6B64\u62A5\u8868";..var L_bobj_crv_Print = "\u6253\u5370\u6B64\u62A5\u8868";..var L_bobj_crv_TabList = "\u900

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\da\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4248
                    Entropy (8bit):5.260215839309549
                    Encrypted:false
                    SSDEEP:96:G9Fu2A0WRrV1iDadY6YLa/S2wacdYHbiVP5r0aCs1ZnUzH8KnZaJ:GzntOdY6YLa2aci7iFOlLo
                    MD5:F83AC982420A7FF09B1498D5F0B766B9
                    SHA1:8FF7163D3C040DD32AE233FD3446785B152C3C5D
                    SHA-256:0E82F5850BD1D58A6C39EFEBE0024B195DD016EA578CB458497313D924F399B6
                    SHA-512:A38D880875DD07963640017797F86419CD38D50560306AD71E18F65628D578CAF8F910FA2E980314A7A25A0A3DB4D0572BAB812708510D9B2CEE615B47ECDDFD
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Sort".._brown="Brun".._oliveGreen="Olivengr.n".._darkGreen="M.rkegr.n".._darkTeal="Dybbl.".._navyBlue="Marinebl.".._indigo="Indigo".._darkGray="M.rkegr.".._darkRed="M.rker.d".._orange="Orange".._darkYellow="M.rkegul".._green="Gr.n".._teal="Bl.gr.n".._blue="Bl.".._blueGray="Bl.gr.".._mediumGray="Mellemgr.".._red="R.d".._lightOrange="Lys orange".._lime="Lime".._seaGreen="Havgr.n".._aqua="

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\de\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4491
                    Entropy (8bit):5.241359084965623
                    Encrypted:false
                    SSDEEP:96:G9Xo7NkAmxAP+sgRcU+I4K+24bmB3t8KzHRdl3irIo0rWPyAyCbqTr0rGSOyK5Ep:GBeNRM+LK+tbmB3t8ol3irIoaWPyAy2l
                    MD5:1D8DF9198C60C6F13486341D8902EC6A
                    SHA1:B663989F7487BB87AAB643FFAD44A3B6DD3DE777
                    SHA-256:CE963CD47DE128CDEBC684AA705FDB09FB18A44E520F8C6436D35C481F736579
                    SHA-512:A3D4A7F4FCD47C86E198BF201DDE7C3A0C7139CE694E6EF95F30A6D1AE5D0212E698CE0C40951C989B9F5B64D5678998F3D8329065D215100417AB71175CA598
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Schwarz".._brown="Braun".._oliveGreen="Olivgr.n".._darkGreen="Dunkelgr.n".._darkTeal="Dunkelblaugr.n".._navyBlue="Marineblau".._indigo="Indigoblau".._darkGray="Dunkelgrau".._darkRed="Dunkelrot".._orange="Orange".._darkYellow="Dunkelgelb".._green="Gr.n".._teal="Blaugr.n".._blue="Blau".._blueGray="Blaugrau".._mediumGray="Mittelgrau".._red="Rot".._lightOrange="Hellorange".._lime="Gelbgr.n".._seaGreen="

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\hu\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4590
                    Entropy (8bit):5.430047734905452
                    Encrypted:false
                    SSDEEP:96:G9wH5WrMzOcO/IfuxLAN4s4X/Jqbvy0/1qqQaGN4h1r0QY1jknhCxzPF:G6ZO8e4W0/1qOhI7
                    MD5:4407D5CC5B8EEE27A05C48AE878B47EF
                    SHA1:2B40CC5CDE83DCF14B0A618299C80BE6F935F4C3
                    SHA-256:66979BF40EFB8792F475D730A0082ED501145D29CA36EF703F3267F483AA110D
                    SHA-512:901B6C931D8A42966D01B7CD54EEE97FF4E01A7875B431C0BCC464E141B02885CD6AEFC52E22FABDE29D1C0413BC5ABF22809B8BA8398D6048DEF4D3D9CF279A
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Alap.rtelmezett".._black="Fekete".._brown="Barna".._oliveGreen="Olajz.ld".._darkGreen="S.t.tz.ld".._darkTeal="S.t.t p.vak.k".._navyBlue="Tenger.szk.k".._indigo="Indig.k.k".._darkGray="S.t.tsz.rke".._darkRed="S.t.tpiros".._orange="Narancss.rga".._darkYellow="Okkers.rga".._green="Z.ld".._teal="S.t.tci.n".._blue="K.k".._blueGray="K.kessz.rke".._mediumGray="K.z.psz.rke".._red="Piros".._lightOrange=

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\ja\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4649
                    Entropy (8bit):5.989186639175651
                    Encrypted:false
                    SSDEEP:96:G97zTX41Ga+4e/c1ejjm2lHdpMHkINIs8Tb5knLirvDX6r0ETlSeUCHYmlWwb:GhHR4sjjmI0EINIsq5knYvq
                    MD5:606AA3EB9644C8E23C85FA9585193202
                    SHA1:A08B3A30D0EF15033DDADDF18C60B57189A3A5B0
                    SHA-256:005F6798CCC9B92FCBCB4465C3DE7D6AD070BB415782A257A82F31E9E7B592DB
                    SHA-512:4C3B88794DABD8AB57AB0E235117CEFEA5DC4C1679559FFF42B4213D577284C53F019A684B6D927A46CF68BF8BD179C862280D2934DF3E42491C258BC6378A2D
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default=".....".._black=".".._brown=".".._oliveGreen="........".._darkGreen="...".._darkTeal="....".._navyBlue="..".._indigo=".....".._darkGray="....".._darkRed="...".._orange="....".._darkYellow="...".._green=".".._teal="..".._blue=".".._blueGray="..".._mediumGray="..".._red=".".._lightOrange="......".._lime="..".

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\nb\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4345
                    Entropy (8bit):5.242892691389963
                    Encrypted:false
                    SSDEEP:96:G9rEWTcaiLYmifkMJl/pOMT1m1RqDNz/r0M03XKQSz7hZ7f:Gl+MMMJl/o+m1AdA41
                    MD5:73E94CCCD2E188183F169A9813C490BB
                    SHA1:3289EE1B8A7E833D09CD95BD198D87BA9AB99612
                    SHA-256:78B1660302D8C3A7C739D386792280CEFA0EC810BC9CB3044C133964CCB3C061
                    SHA-512:3ABE10EE84BC8ACDCAF65909814956B81D9F2C68547A5C095B0A1D2B6D9B248A0F6D88538E39DB7803CEF430D585D3415E51D9F4C4FC88C7CDC1202B4C9AA726
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Svart".._brown="Brun".._oliveGreen="Olivengr.nn".._darkGreen="M.rkegr.nn".._darkTeal="M.rk bl.gr.nn".._navyBlue="Marinebl.".._indigo="Indigo".._darkGray="M.rk gr.".._darkRed="M.rker.d".._orange="Oransje".._darkYellow="M.rkegul".._green="Gr.nn".._teal="Bl.gr.nn".._blue="Bl.".._blueGray="Bl.gr.".._mediumGray="Mellomgr.".._red="R.d".._lightOrange="Lys oransje".._lime="Sitrusgr.nn".._seaG

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\ru\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):6143
                    Entropy (8bit):5.440151278792907
                    Encrypted:false
                    SSDEEP:96:G9hSyoJTccS5gnDxk39vdiDlKhGkhqrbEvjNOr0M/0POdtHodjky6k:GXKnxs9diDAGkhqrbkpr6wZ7
                    MD5:75AC7FB583891647E9A356F93D5B4E08
                    SHA1:ACF46DADD5D9FB4CC560D4CFDD7298E0ADEAAC4E
                    SHA-256:4831E31587F267D089C9C82B7745B2E51147325A594DDF0568A544D90B1EE26E
                    SHA-512:0D5AC5E6AE079BD5D302B4261A1ED291EF9AB3693D5C0C2AFEE66F5F8F9004EBD0FD1444577654A5AD7244AB0168F27EEEC269627C27FFBC9893F54AF46D49E9
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default=".. .........".._black="......".._brown="..........".._oliveGreen="........-.......".._darkGreen=".....-.......".._darkTeal=".....-.........".._navyBlue=".....-.....".._indigo="......".._darkGray=".....-.....".._darkRed=".....-.......".._orange=".........".._darkYellow=".....-......".._green="....

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\sk\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4710
                    Entropy (8bit):5.409078907184024
                    Encrypted:false
                    SSDEEP:96:G9ojOaOWVoSgmU6dm93JrP8I+6ZpqppwHImfpJHyWXWmr0Gj1TTzZ+eKCTU:GCfM35P8I+x8I/z64
                    MD5:05C9047627B51F4F088DC336AFC9369B
                    SHA1:86FCC00A653407F90D0EFC9EEE881B8D857BA2DE
                    SHA-256:0604537386B4F87526B754DCC635FB14081CC60CF969807635DF8150420DAA44
                    SHA-512:D46F52181CE6F7EB073AE3A09487E547740FE25B34044F9A824E84B02A4AC4677C0E53FD98D05E840CB7D0814755F0978E14A15D42A254A6CC98F5FD53E4D66B
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Predvolen.".._black=".ierna".._brown="Hned.".._oliveGreen="Olivovozelen.".._darkGreen="Tmavozelen.".._darkTeal="Tmavosivozelen.".._navyBlue="N.morn.cka modr.".._indigo="Indigov.".._darkGray="Tmavosiv.".._darkRed="Tmavo.erven.".._orange="Oran.ov.".._darkYellow="Tmavo.lt.".._green="Zelen.".._teal="Sivozelen.".._blue="Modr.".._blueGray="Modrosiv.".._mediumGray="Stredne siv.".._red=".erven.".._lightOrang

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\sv\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4353
                    Entropy (8bit):5.287739622341475
                    Encrypted:false
                    SSDEEP:96:G9rVCckLQaHIogTvYdZNTtL5Ev5uLe3OKg3Im2Hkhz7r0Mcj3MgZV3FZSZH:Gl0NzZNTLEv5uQOK0Im2H20JgF
                    MD5:0E3D3DE4C67595E9385DF95605AD027B
                    SHA1:F46555640AB1BBD15DE1F81200C265989ADCFC85
                    SHA-256:16E1AA735F0C88779304E863B9462DC0464EAE418E74A0F4A59CAF8D8345AA39
                    SHA-512:04D863C761B8865BA4497B0314A06FF55C41EEBA3D21D2A8ECE191C51805A30F051B986236F89AD0AEC30E3D0026B617D3F15F9DEED56384FD5E429B617D863A
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="Standard".._black="Svart".._brown="Brun".._oliveGreen="Olivgr.n".._darkGreen="M.rkgr.n".._darkTeal="M.rk bl.gr.n".._navyBlue="Marinbl.".._indigo="Indigo".._darkGray="M.rkgr.".._darkRed="M.rkr.d".._orange="Orange".._darkYellow="M.rkgul".._green="Gr.n".._teal="Bl.gr.n".._blue="Bl.".._blueGray="Bl.gr.".._mediumGray="Mellangr.".._red="R.d".._lightOrange="Ljus orange".._lime="Lime".._seaGreen="Havsgr.n".._aq

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\th\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):6855
                    Entropy (8bit):5.104520201568826
                    Encrypted:false
                    SSDEEP:192:GY2zTRngYmYuO1XKqZsMssqnJ0yhPsGQoInpY:92zTRngYHCy4hUI
                    MD5:2A87BC084AB70030F5691CD0F51EC3AE
                    SHA1:E7A40C4DBC3DC34C77A0AB260C14E78FEFC82C9B
                    SHA-256:BF65B962AC64E7166C5D08F72301138CB6A1EBD95DB202AB71F94FD5D3B9AB33
                    SHA-512:C333ACD585A538C5DD30115FB7AF6C3A27C6B4E219A15FC3477C2FB0F08271065A52D6FC9FE2B8A045F03682F006A89C57EEFC61D7ABA5F5D3C8F152CB18EFAC
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default=".......".._black="..".._brown="......".._oliveGreen="..........".._darkGreen=".........".._darkTeal="..................".._navyBlue="......".._indigo="....".._darkGray=".......".._darkRed=".......".._orange="...".._darkYellow="..........".._green=".

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\dhtmllib\language\zh_CN\labels.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4268
                    Entropy (8bit):6.048254431861161
                    Encrypted:false
                    SSDEEP:96:G9IE/tTANndLRDPYoAG7hMghvr/gPR+P6GiqnYbHor5r003FSrqZZ5gkUs:GqE/RANdLB2oxhvrgPR+P6oYbiOA
                    MD5:606D181C58583865DA0340928128D2AF
                    SHA1:48FCFF9FB22D37BD326C6815352F36D12FBD6A11
                    SHA-256:B29253134DD220A500700B52A4896CF814C93DE38F019E6728B9DECDF73B3BBC
                    SHA-512:DFDE1B7DF58543A7DAF8618DC2C6F5F23A3BB5CB81473D80A55757D2659404EED5AE8C639435D6A50659D857679F08AF635E34FB397642F9A4194A138B9FE308
                    Malicious:false
                    Reputation:low
                    Preview:// <script>../*..=============================================================..WebIntelligence(r) Report Panel..Copyright(c) 2001-2003 Business Objects S.A...All rights reserved....Use and support of this software is governed by the terms..and conditions of the software license agreement and support..policy of Business Objects S.A. and/or its subsidiaries. ..The Business Objects products and technology are protected..by the US patent number 5,555,403 and 6,247,008....File: labels.js......=============================================================..*/...._default="...".._black="..".._brown="..".._oliveGreen="...".._darkGreen="...".._darkTeal="...".._navyBlue="..".._indigo="..".._darkGray="...".._darkRed="...".._orange="...".._darkYellow="...".._green="..".._teal="..".._blue="..".._blueGray="...".._mediumGray="..".._red="..".._lightOrange="....".._lime="...".._seaGreen="..."..

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\swfobject\swfobject.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:HTML document, ASCII text, with very long lines (8630), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8872
                    Entropy (8bit):5.547850263629825
                    Encrypted:false
                    SSDEEP:192:3ix56x5Ewe+saG3f9SO7a+dC4zCz9ZtMyUK/y8niQIlGt4G0wVN+RVAWg3UkRavK:3Stwe+saG3f9SO777Gz9PMyUOyaiQI0r
                    MD5:73F1660E0AC7E09AE301832D2CFE07A7
                    SHA1:E9D949D25FDB6501AFBD0BDA75A975839B07713A
                    SHA-256:BBB55B0D768B1D9FF053EC44BF8E05BBB49E95FA44345809FA2437F936DC609D
                    SHA-512:C8FD3AB931B19FD81BD6209A83D32C53560597C2C7F2B3198EEC15EDFBB26DD74B8FABE3C1AB7B3798A380316822243F545DBD22C176432C02F0C14FF7167B95
                    Malicious:false
                    Reputation:low
                    Preview:/*.SWFObject v2.0 <http://code.google.com/p/swfobject/>...Copyright (c) 2007 Geoff Stearns, Michael Williams, and Bobby van der Sluis...This software is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>..*/..var swfobject=function(){var Z="undefined",P="object",B="Shockwave Flash",h="ShockwaveFlash.ShockwaveFlash",W="application/x-shockwave-flash",K="SWFObjectExprInst",G=window,g=document,N=navigator,f=[],H=[],Q=null,L=null,T=null,S=false,C=false;var a=function(){var l=typeof g.getElementById!=Z&&typeof g.getElementsByTagName!=Z&&typeof g.createElement!=Z&&typeof g.appendChild!=Z&&typeof g.replaceChild!=Z&&typeof g.removeChild!=Z&&typeof g.cloneNode!=Z,t=[0,0,0],n=null;if(typeof N.plugins!=Z&&typeof N.plugins[B]==P){n=N.plugins[B].description;if(n){n=n.replace(/^.*\s+(\S+\s+\S+$)/,"$1");t[0]=parseInt(n.replace(/^(.*)\..*$/,"$1"),10);t[1]=parseInt(n.replace(/^.*\.(.*)\s.*$/,"$1"),10);t[2]=/r/.test(n)?parseInt(n.replace(/^.*r(.*)$/,"$1"),10):0}}else{if(t

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_da.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (316), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2975
                    Entropy (8bit):4.932163813265018
                    Encrypted:false
                    SSDEEP:48:59elPDD8U5PlnMEW9AqvfAtAk223x5UNc9a/A4f6PfY/+1r5f6Kb1er3f13pv1eJ:59elLD8U5PlnMEW9AqvfAtAk223x5UNA
                    MD5:47A9212533F5E53F3A60D30F2DE82AC0
                    SHA1:7328244540B37EAB2FAFA613C44A7D72B52457FB
                    SHA-256:F05083FE206E05D3EED2C8AA4C265AE54E8691ADD097E7EC421C16C116B3BD6C
                    SHA-512:E0B39EA55648A15196C577F5CDFC5983445856F4F646F8EEC1BB85C07C88320D2FE6F489D1CC7CFB4966DDE5923C529215EF8F54EDAF1A6F8ADF4ED0ED42E808
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "I dag";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "Marts";..var L_April = "April";..var L_May = "Maj";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "December";..var L_Su = "S\u00F8";..var L_Mo = "Ma";..var L_Tu = "Ti";..var L_We = "On";..var L_Th = "To";..var L_Fr = "Fr";..var L_Sa = "L\u00F8";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E5\u00E5\u00E5\u00E5";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Denne parameter er af typen \"Tal\" og m\u00E5 kun indeholde symbolet for negative tal, cifrene (\"0-9\"), cifferg

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_de.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (334), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3027
                    Entropy (8bit):4.912493286210965
                    Encrypted:false
                    SSDEEP:48:59eEePDDYU5anMEW9AqvfAfeAmEGSxLlUSA9a/A5XDGtjns4DGtjg6wmtSyflyYI:59enLDYU5anMEW9AqvfA2AmEGSxLlUSf
                    MD5:96658C0C6B439D0B4F9A239BDFBA03E6
                    SHA1:B833F44AA46C0A4FC99B0BF24CC98346E74639A9
                    SHA-256:89D83D5E4EEC90516775915B0E53D09353DBAADEDD1FD2DA6F27BC1114D4C38D
                    SHA-512:10584CCED38075BA43A3D4DE7D69A5AF7E88683038A32F99C276B1392BEEEE865FD44B08CF6EF05EACD239A39ACC3D44D82FD8BEF6360A1CE5FC4D82B47CF4E8
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Heute";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "M\u00E4rz";..var L_April = "April";..var L_May = "Mai";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "Dezember";..var L_Su = "So";..var L_Mo = "Mo";..var L_Tu = "Di";..var L_We = "Mi";..var L_Th = "Do";..var L_Fr = "Fr";..var L_Sa = "Sa";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Dies ist ein Parameter vom Typ \"Number\", der nur ein vorangestelltes Minuszeichen, Ziffern (\"0-9\"), Zeichen zur Zifferngruppierung oder

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_hu.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (406), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3544
                    Entropy (8bit):5.0100137520198285
                    Encrypted:false
                    SSDEEP:96:59eWtFpQbn6Ss4UfAqwfAtAs9UisxA4wc+8BlZlQ0Bu103HFFHk0irUcKbR7TFWm:5g0hXPC0Qb/21QMoW+97
                    MD5:F59BB7F081368899E0627C21B9FF7D9C
                    SHA1:4D0E9BDF4DF1AB845DFC3BE3E8F6C25B810BB7CB
                    SHA-256:A68891536393E9D64FA4731401C56EA1D95CE3DD6FD4A0D7DE58984E2B892639
                    SHA-512:3D0AD960D5DC70C5268B08D4A777500DB5FE5B3D57DBC67B8C28E44304DD17A2BA1FA64A8DC352BE0860A836EC036BE5329598931AD802352EE58B79F53F9195
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Ma";..var L_January = "Janu\u00E1r";..var L_February = "Febru\u00E1r";..var L_March = "M\u00E1rcius";..var L_April = "\u00C1prilis";..var L_May = "M\u00E1jus";..var L_June = "J\u00FAnius";..var L_July = "J\u00FAlius";..var L_August = "Augusztus";..var L_September = "Szeptember";..var L_October = "Okt\u00F3ber";..var L_November = "November";..var L_December = "December";..var L_Su = "V";..var L_Mo = "H";..var L_Tu = "K";..var L_We = "Sze";..var L_Th = "Cs";..var L_Fr = "P";..var L_Sa = "Szo";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E9\u00E9\u00E9\u00E9";..var L_MM = "hh";..var L_DD = "nn";..var L_BadNumber = "Ez a param\u00E9ter Sz\u00E1m t\u00EDpus\u00FA, ez\u00E9rt csak m\u00EDnusz

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_ja.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (483), with CRLF line terminators
                    Category:dropped
                    Size (bytes):4673
                    Entropy (8bit):4.717510037336055
                    Encrypted:false
                    SSDEEP:96:59eU9AIUUnO3FCqOEiwQjZxc+yAoYKU7zWU7z9pizGGzff2evQdgDdhNL3vn8jYf:5gzMUU76U7rlmagJLy0neWSQB
                    MD5:1B14E9B751743EFB2256F2FBCA4D51C9
                    SHA1:DD178C07A9729F97DD7F5C306002128AE303EE39
                    SHA-256:BDEB448168EE1872FB845905F744AB030CF4F88C3554A813F320FB39631BF93B
                    SHA-512:A4366BE8A56DA9BC3B18C01E36EC779C8948949E4C5DDDBF24B99F1AB8FEF5180729DA7BC56EDED97DFCBE1D3DF93731E3FEEEE07EA4B205F6EB5C70A9101B90
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u4ECA\u65E5";..var L_January = "1 \u6708";..var L_February = "2 \u6708";..var L_March = "3 \u6708";..var L_April = "4 \u6708";..var L_May = "5 \u6708";..var L_June = "6 \u6708";..var L_July = "7 \u6708";..var L_August = "8 \u6708";..var L_September = "9 \u6708";..var L_October = "10 \u6708";..var L_November = "11 \u6708";..var L_December = "12 \u6708";..var L_Su = "\u65E5";..var L_Mo = "\u6708";..var L_Tu = "\u706B";..var L_We = "\u6C34";..var L_Th = "\u6728";..var L_Fr = "\u91D1";..var L_Sa = "\u571F";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "\u3053\u306E\u30D1\u30E9\u30E1\u30FC\u30BF\u306E\u578B\u306F \"\u6570\u5024\" \u30

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_nb.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (318), with CRLF line terminators
                    Category:dropped
                    Size (bytes):2836
                    Entropy (8bit):4.871582092503892
                    Encrypted:false
                    SSDEEP:48:59elPDDWU5anMEW9AqvfAdAk223x5UNc9a/AMX5iX5+r5v7qAz9xo3Az9bAFthca:59elLDWU5anMEW9AqvfAdAk223x5UNcF
                    MD5:9BF84B53AE3D997F1E31BAFC7FF659BD
                    SHA1:1B8D594ED9EAA6371E2721B55A8EAADF1EEA2716
                    SHA-256:66D9F03A90E2F876FAA2406C0E893DB07E3292D772028A66A86D32585C55410F
                    SHA-512:3B8CEB43C4C4271C4C9A228DB5A17C849A08FAC9AE7D194429DEA28D07AC88623D2D79E8FCCA4389C9BFCC77BFA1C30405CD077B171E415658872F75F3A7220D
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "I dag";..var L_January = "Januar";..var L_February = "Februar";..var L_March = "Mars";..var L_April = "April";..var L_May = "Mai";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "August";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "Desember";..var L_Su = "S\u00F8";..var L_Mo = "Ma";..var L_Tu = "Ti";..var L_We = "On";..var L_Th = "To";..var L_Fr = "Fr";..var L_Sa = "L\u00F8";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E5\u00E5\u00E5\u00E5";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Denne parameteren er av typen Nummer og kan bare inneholde et negativt tegnsymbol, sifre (0-9), grupperingssymboler

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_ru.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1159), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8565
                    Entropy (8bit):3.891538758453395
                    Encrypted:false
                    SSDEEP:192:5gDj9+U62nLWP6YnLWm6o/wC4hh26BEwC4lhbCCVU6riaCCVTIFe0RZ48We1O:6DjoaeE
                    MD5:E8631B11C96E9BA16AD8A357C400665D
                    SHA1:A3E235FC0D03D5AE622241763E9C6DE2F2F1ED19
                    SHA-256:BF2873374E3EB89BAAC2B198DF4A18D82311E15AF9861B0A0EF717EA8182A585
                    SHA-512:B658540D11C46CEE61B89D18EC9BAE85955AF52377AA92B79192539C5D9C3BE84E3C9B514EA8A3C84305FB3091832D344B28347408B0AD1F3096FE9DE362773A
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u0421\u0435\u0433\u043E\u0434\u043D\u044F";..var L_January = "\u042F\u043D\u0432\u0430\u0440\u044C";..var L_February = "\u0424\u0435\u0432\u0440\u0430\u043B\u044C";..var L_March = "\u041C\u0430\u0440\u0442";..var L_April = "\u0410\u043F\u0440\u0435\u043B\u044C";..var L_May = "\u041C\u0430\u0439";..var L_June = "\u0418\u044E\u043D\u044C";..var L_July = "\u0418\u044E\u043B\u044C";..var L_August = "\u0410\u0432\u0433\u0443\u0441\u0442";..var L_September = "\u0421\u0435\u043D\u0442\u044F\u0431\u0440\u044C";..var L_October = "\u041E\u043A\u0442\u044F\u0431\u0440\u044C";..var L_November = "\u041D\u043E\u044F\u0431\u0440\u044C";..var L_December = "\u0414\u0435\u043A\u0430\u0431\u0440\u044C";..var L_Su = "\u0412\u0441";..var L_Mo = "\u041F\u043D";..var L_Tu = "\u0412\u0442";..var

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_sk.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (336), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3217
                    Entropy (8bit):5.0684331267424545
                    Encrypted:false
                    SSDEEP:96:59eatF3Xjn6ZsHW9AqwfAtAzjYFxw14EoY3jTR/jTRoxsJ6RDNj2WsawcFpSCl2C:5g5mAPC0ZmjT1jTkQ+XW1g
                    MD5:5174060FE7C46329CCDCFA607EDC2CE8
                    SHA1:09AA7B366FE908C151C87E5D7FF464BFA6D9824C
                    SHA-256:E9F8E46039E266A7ED5F709A793D27C20F4E75FE85293E7C87B263B795878970
                    SHA-512:4E9237356BC9A2E5A3AB16177F9A7BE1634AA33704D1B04A676E4F3DBDF8021606DF2208227BF443E4E7BBAAEB3B9CA38BEB54B9B69BC12E8D981691FD1FDC84
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "Dnes";..var L_January = "Janu\u00E1r";..var L_February = "Febru\u00E1r";..var L_March = "Marec";..var L_April = "Apr\u00EDl";..var L_May = "M\u00E1j";..var L_June = "J\u00FAn";..var L_July = "J\u00FAl";..var L_August = "August";..var L_September = "September";..var L_October = "Okt\u00F3ber";..var L_November = "November";..var L_December = "December";..var L_Su = "Ne";..var L_Mo = "Po";..var L_Tu = "Ut";..var L_We = "St";..var L_Th = "\u0160t";..var L_Fr = "Pi";..var L_Sa = "So";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "rrrr";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Tento parameter je typu \"\u010C\u00EDslo\" a m\u00F4\u017Ee obsahova\u0165 len z\u00E1porn\u00E9 znamienko

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_sv.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (402), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3200
                    Entropy (8bit):4.9366568336539185
                    Encrypted:false
                    SSDEEP:96:59elc0WU5PlnME/9AqvfAtAWS23x5UvcoYLh1r+XidZHMipj9b39VAjvAIA9z6PF:5gnV9P3093RjsW1m
                    MD5:A1C89B7E87155C333D7B9429A84EB4A9
                    SHA1:854FB61A5D874D0B6F8EE273ED5311630F9A0988
                    SHA-256:41B1D3D8665CC90DB237F025B2F0D0AC463D149D1AE3F4AD2F259790BB01ADCD
                    SHA-512:6544A3C67B21C215461E5B27B7862261D4AF7EFBDB0C11F354B9BC45B0FADD9DDAE6F2C1BD9F02C49B453C96491065A4C09E350F0A1EFFFB4C29FBFF9FB4C2F2
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "I dag";..var L_January = "Januari";..var L_February = "Februari";..var L_March = "Mars";..var L_April = "April";..var L_May = "Maj";..var L_June = "Juni";..var L_July = "Juli";..var L_August = "Augusti";..var L_September = "September";..var L_October = "Oktober";..var L_November = "November";..var L_December = "December";..var L_Su = "S\u00F6";..var L_Mo = "M\u00E5";..var L_Tu = "Ti";..var L_We = "On";..var L_Th = "To";..var L_Fr = "Fr";..var L_Sa = "L\u00F6r";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "\u00E5\u00E5\u00E5\u00E5";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "Den h\u00E4r parametern \u00E4r av typen \"Tal\" och kan bara inneh\u00E5lla en symbol f\u00F6r negativt t

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_th.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (1064), with CRLF line terminators
                    Category:dropped
                    Size (bytes):8246
                    Entropy (8bit):4.065689156043016
                    Encrypted:false
                    SSDEEP:96:59eE9oYHxP6ntq4zqxpjntKhcxwINAoYfMLkfX4sZLkfX4sNQi99WcOrW1zaNvWd:5gkxPLp4Pd4PkwaW1BJWiLb
                    MD5:22BBEE8850989496F628D22385BD63AB
                    SHA1:B9B0A6C3C969A81630B5D44D9418907E6F2D2561
                    SHA-256:4E548E97F282C3FBBF03FF9C8E4A51C6472A476FD71657CA323F572F8559EDE5
                    SHA-512:B58A61A19C52367BA09C3A62148D291B71712D486948DB44EEA9B7EE3676E7927B7AA88CD8902B31191347B45FD932C2A616F104C8D90E3558FC75EEFFD1F33B
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u0E27\u0E31\u0E19\u0E19\u0E35\u0E49";..var L_January = "\u0E21\u0E01\u0E23\u0E32\u0E04\u0E21";..var L_February = "\u0E01\u0E38\u0E21\u0E20\u0E32\u0E1E\u0E31\u0E19\u0E18\u0E4C";..var L_March = "\u0E21\u0E35\u0E19\u0E32\u0E04\u0E21";..var L_April = "\u0E40\u0E21\u0E29\u0E32\u0E22\u0E19";..var L_May = "\u0E1E\u0E24\u0E29\u0E20\u0E32\u0E04\u0E21";..var L_June = "\u0E21\u0E34\u0E16\u0E38\u0E19\u0E32\u0E22\u0E19";..var L_July = "\u0E01\u0E23\u0E01\u0E0E\u0E32\u0E04\u0E21";..var L_August = "\u0E2A\u0E34\u0E07\u0E2B\u0E32\u0E04\u0E21";..var L_September = "\u0E01\u0E31\u0E19\u0E22\u0E32\u0E22\u0E19";..var L_October = "\u0E15\u0E38\u0E25\u0E32\u0E04\u0E21";..var L_November = "\u0E1E\u0E24\u0E28\u0E08\u0E34\u0E01\u0E32\u0E22\u0E19";..var L_December = "\u0E18\u0E31\u0E19\u0E27\u0E32\u0E04\u0E21";..var L_

                    C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\prompting\js\promptengine_strings_zh_CN.js

                    Download File
                    Process:C:\Windows\System32\msiexec.exe
                    File Type:ASCII text, with very long lines (527), with CRLF line terminators
                    Category:dropped
                    Size (bytes):3899
                    Entropy (8bit):4.911966945403881
                    Encrypted:false
                    SSDEEP:96:59ewup0icnBVGqq5a4wgkFxgzjAoYlH5Vf+5VMtSeJVEzR1ryzRhJ6vBCcQV5xTB:5gTwqME2aDW9IE
                    MD5:DAEF37DDF323315EEC052EE7D3F4BFD2
                    SHA1:80384E4E65F3016A0F5E34848E20F70DECF360F5
                    SHA-256:3FC592831B094B185A0E6878BDC482D55A5007DCCA2B11A969D2CCD2E99B9640
                    SHA-512:7AA1B6C04F43D559D299D6B47074DBBAFF887DD5A52BCFC78C22BBC97E5E260079A0CCFAA50559A5B9E3CC77C5F8DF5A8C8BCBEC621A4AFD69A0DF686DEFF3BA
                    Malicious:false
                    Reputation:low
                    Preview:/* Copyright (c) Business Objects 2006. All rights reserved. */....// LOCALIZATION STRING....// Strings for calendar.js and calendar_param.js..var L_Today = "\u4ECA\u5929";..var L_January = "\u4E00\u6708";..var L_February = "\u4E8C\u6708";..var L_March = "\u4E09\u6708";..var L_April = "\u56DB\u6708";..var L_May = "\u4E94\u6708";..var L_June = "\u516D\u6708";..var L_July = "\u4E03\u6708";..var L_August = "\u516B\u6708";..var L_September = "\u4E5D\u6708";..var L_October = "\u5341\u6708";..var L_November = "\u5341\u4E00\u6708";..var L_December = "\u5341\u4E8C\u6708";..var L_Su = "\u65E5";..var L_Mo = "\u4E00";..var L_Tu = "\u4E8C";..var L_We = "\u4E09";..var L_Th = "\u56DB";..var L_Fr = "\u4E94";..var L_Sa = "\u516D";....// Strings for prompts.js and prompts_param.js..var L_YYYY = "yyyy";..var L_MM = "mm";..var L_DD = "dd";..var L_BadNumber = "\u6B64\u53C2\u6570\u7684\

                    Static File Info

                    No static file info

                    Network Behavior

                    Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:07:41:02
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe" > cmdline.out 2>&1
                    Imagebase:0x240000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:07:41:02
                    Start date:30/09/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:07:41:02
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\wget.exe
                    Wow64 process (32bit):true
                    Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://update.microgate.it/optojump/optojumpnext.exe"
                    Imagebase:0x400000
                    File size:3'895'184 bytes
                    MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:07:44:12
                    Start date:30/09/2024
                    Path:C:\Users\user\Desktop\download\optojumpnext.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\download\optojumpnext.exe"
                    Imagebase:0x400000
                    File size:263'455'292 bytes
                    MD5 hash:16EDDCB330DB5178466D38E3D775FDC0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:10
                    Start time:07:44:31
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
                    Imagebase:0xaa0000
                    File size:126'116'296 bytes
                    MD5 hash:94498086DC1825A3AF3044BE5F4B5E92
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:11
                    Start time:07:44:35
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}" /IS_temp
                    Imagebase:0x780000
                    File size:126'116'296 bytes
                    MD5 hash:94498086DC1825A3AF3044BE5F4B5E92
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:12
                    Start time:07:44:40
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{a0689fe9-3467-4d73-bc25-d0f696ad268a}\CRRuntime_32bit_13_0_10.msi" /qn /norestart
                    Imagebase:0x1d0000
                    File size:59'904 bytes
                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:13
                    Start time:07:44:40
                    Start date:30/09/2024
                    Path:C:\Windows\System32\msiexec.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\msiexec.exe /V
                    Imagebase:0x7ff7ba690000
                    File size:69'632 bytes
                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:14
                    Start time:07:44:44
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 80DCE7E404A3D2C744ABC8DE5968C142
                    Imagebase:0x1d0000
                    File size:59'904 bytes
                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:15
                    Start time:07:44:54
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
                    Imagebase:0xaa0000
                    File size:126'116'296 bytes
                    MD5 hash:94498086DC1825A3AF3044BE5F4B5E92
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:18
                    Start time:07:44:55
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe"
                    Imagebase:0xaa0000
                    File size:126'116'296 bytes
                    MD5 hash:94498086DC1825A3AF3044BE5F4B5E92
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:19
                    Start time:07:45:00
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}\setup.exe /q"C:\Users\user\AppData\Local\Temp\Optojump Next\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{FF90D66E-8DE8-4F32-8355-F3F889CD6D3D}" /IS_temp
                    Imagebase:0x7e0000
                    File size:126'116'296 bytes
                    MD5 hash:94498086DC1825A3AF3044BE5F4B5E92
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:20
                    Start time:07:46:01
                    Start date:30/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{270b0954-35ca-4324-bbc6-ba5db9072dad}\vcredist_x86.exe" /q
                    Imagebase:0x1000000
                    File size:4'995'416 bytes
                    MD5 hash:CEDE02D7AF62449A2C38C49ABECC0CD3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:21
                    Start time:07:46:03
                    Start date:30/09/2024
                    Path:C:\1adc35b2a430ffb6f8fdcb\Setup.exe
                    Wow64 process (32bit):true
                    Commandline:c:\1adc35b2a430ffb6f8fdcb\Setup.exe /q
                    Imagebase:0xff0000
                    File size:78'152 bytes
                    MD5 hash:9A1141FBCEEB2E196AE1BA115FD4BEE6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, ReversingLabs
                    • Detection: 0%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:22
                    Start time:07:46:11
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Optojump Next\ISSetupPrerequisites\{B1165B38-CA52-11E0-A63D-7C004824019B}\SSCERuntime_x86-ENU.msi" /q /norestart
                    Imagebase:0x1d0000
                    File size:59'904 bytes
                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:23
                    Start time:07:46:11
                    Start date:30/09/2024
                    Path:C:\Windows\System32\msiexec.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\msiexec.exe /V
                    Imagebase:0x7ff7ba690000
                    File size:69'632 bytes
                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:24
                    Start time:07:46:12
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 1AA463F152CC7C817FC4EBBAEC5BC88D
                    Imagebase:0x1d0000
                    File size:59'904 bytes
                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:25
                    Start time:07:46:13
                    Start date:30/09/2024
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 2150726FCB1B5064F395F524C5BCA25E E Global\MSI0000
                    Imagebase:0x1d0000
                    File size:59'904 bytes
                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:20.7%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:4.3%
                      Total number of Nodes:1526
                      Total number of Limit Nodes:67
                      execution_graph 6730 406e81 GetParent 6731 406ea1 6730->6731 6732 406f3b 6731->6732 6734 40704f 6731->6734 6735 406ec0 6731->6735 6733 406f2a 6732->6733 6736 406f76 GetWindowTextA 6732->6736 6737 406f8b 6732->6737 6733->6734 6748 4029f5 6733->6748 6771 402b2f 6733->6771 6735->6733 6735->6734 6743 406eef 6735->6743 6738 406fbb SetWindowTextA 6736->6738 6739 406faa LoadStringA 6737->6739 6740 406f9a lstrcpynA 6737->6740 6741 406ff0 GetDlgItem ShowWindow 6738->6741 6742 406fd1 GetDlgItem ShowWindow 6738->6742 6739->6738 6740->6738 6744 40700d GetDlgItem ShowWindow GetDlgItem KiUserCallbackDispatcher 6741->6744 6742->6744 6743->6734 6745 406f15 CreateSolidBrush 6743->6745 6744->6733 6745->6734 6749 402a01 6748->6749 6750 402a57 6748->6750 6751 402a28 6749->6751 6752 402a08 6749->6752 6755 402aa1 6750->6755 6756 402a6f 6750->6756 6757 402a1f 6750->6757 6753 402a40 6751->6753 6754 402a31 SetDlgItemTextA 6751->6754 6752->6757 6820 4032bd GetDlgItemTextA SHBrowseForFolderA 6752->6820 6789 4030d7 GetWindow wsprintfA 6753->6789 6754->6753 6760 402abc GetDlgItemTextA 6755->6760 6823 40712a 6755->6823 6756->6757 6759 402a76 GetParent 6756->6759 6757->6734 6761 402a90 PostMessageA 6759->6761 6762 402a8d 6759->6762 6801 4031bc lstrcpyA 6760->6801 6761->6757 6762->6761 6769 402ade 6769->6757 6826 402f63 6769->6826 6772 402b44 6771->6772 6773 402c8b 6771->6773 6776 402bc6 6772->6776 6780 402b4d 6772->6780 6774 402c98 6773->6774 6775 402cca GetParent 6773->6775 6778 402c9f GetParent PostMessageA PostMessageA 6774->6778 6782 402cc6 6774->6782 6779 402f63 6 API calls 6775->6779 6777 4030d7 9 API calls 6776->6777 6781 402c03 6777->6781 6778->6782 6779->6782 6780->6782 6911 403a9e 6780->6911 6783 40144c 2 API calls 6781->6783 6782->6734 6785 402c1b SetDlgItemTextA GetDlgItemTextA wsprintfA SetDlgItemTextA SendDlgItemMessageA 6783->6785 6785->6782 6787 402ba8 GetParent SendMessageA 6787->6782 6788 402b8a GetParent PostMessageA 6788->6782 6837 40144c 6789->6837 6791 403143 6792 40314a GetWindowTextA 6791->6792 6793 40315b 6791->6793 6792->6793 6794 40317a 6793->6794 6795 40316a SetWindowTextA 6793->6795 6796 4031b5 6794->6796 6797 40317e GetWindowLongA 6794->6797 6799 4031ac GetWindow 6794->6799 6800 40319f SetWindowTextA 6794->6800 6795->6794 6796->6757 6798 40144c 2 API calls 6797->6798 6798->6794 6799->6794 6800->6799 6840 4056a7 6801->6840 6806 40321c 6807 40324d GetFileAttributesA 6806->6807 6850 403276 lstrlenA 6806->6850 6809 402ad7 6807->6809 6809->6769 6811 401516 CreateDirectoryA 6809->6811 6812 401531 GetLastError 6811->6812 6814 40155f 6811->6814 6813 40155a 6812->6813 6812->6814 6813->6814 6877 40159c 6813->6877 6814->6769 6816 401573 6816->6814 6817 401516 lstrcpyA 6816->6817 6818 401585 6817->6818 6818->6814 6819 40158a CreateDirectoryA 6818->6819 6819->6814 6821 40330d SHGetPathFromIDListA SetDlgItemTextA SHGetMalloc 6820->6821 6822 40333c 6820->6822 6821->6822 6822->6757 6882 40713c 6823->6882 6827 403026 6826->6827 6828 402f79 6826->6828 6827->6757 6829 402fd8 LoadStringA LoadStringA 6828->6829 6830 402fb9 6828->6830 6836 402fd3 6829->6836 6831 40144c 2 API calls 6830->6831 6834 402fc4 6831->6834 6832 403002 lstrcpyA 6833 40300d MessageBoxA 6832->6833 6833->6757 6835 40144c 2 API calls 6834->6835 6835->6836 6836->6832 6836->6833 6838 401465 wsprintfA GetPrivateProfileStringA 6837->6838 6839 40149a 6837->6839 6838->6791 6839->6791 6841 4031fc 6840->6841 6844 4056b5 6840->6844 6846 4056e6 6841->6846 6843 4056d2 6843->6841 6845 4056db lstrcpyA 6843->6845 6844->6843 6853 4075ba 6844->6853 6845->6841 6848 4056f3 6846->6848 6849 403208 lstrlenA 6846->6849 6847 4075ba 6 API calls 6847->6848 6848->6847 6848->6849 6849->6806 6851 403239 lstrcatA 6850->6851 6852 40328a IsDBCSLeadByte 6850->6852 6851->6807 6852->6851 6854 407627 6853->6854 6855 4075c9 6853->6855 6856 40763c 6854->6856 6873 4091fa 6854->6873 6860 4075eb 6855->6860 6861 40926f 6855->6861 6856->6844 6860->6844 6862 4092a0 GetStringTypeW 6861->6862 6863 4092b8 6861->6863 6862->6863 6864 4092bc GetStringTypeA 6862->6864 6865 4092e3 GetStringTypeA 6863->6865 6866 409307 6863->6866 6864->6863 6867 4093a4 6864->6867 6865->6867 6866->6867 6869 40931d MultiByteToWideChar 6866->6869 6867->6860 6869->6867 6870 409341 6869->6870 6870->6867 6871 40937b MultiByteToWideChar 6870->6871 6871->6867 6872 409394 GetStringTypeW 6871->6872 6872->6867 6874 409218 6873->6874 6876 407638 6873->6876 6875 40926f 6 API calls 6874->6875 6875->6876 6876->6844 6878 4015ac 6877->6878 6879 4015b2 lstrcpyA 6878->6879 6880 4015ef 6878->6880 6881 4015c9 6879->6881 6880->6816 6881->6816 6883 402ab6 6882->6883 6885 407143 6882->6885 6883->6760 6885->6883 6886 407168 6885->6886 6887 40717b 6886->6887 6888 407175 6886->6888 6890 407187 RtlAllocateHeap 6887->6890 6891 40719c 6887->6891 6892 408906 6888->6892 6890->6891 6891->6885 6896 408938 6892->6896 6893 4089e0 6907 408cc0 6893->6907 6896->6893 6899 4089f4 6896->6899 6900 408c0f 6896->6900 6899->6887 6901 408c52 HeapAlloc 6900->6901 6902 408c22 HeapReAlloc 6900->6902 6904 4089d7 6901->6904 6905 408c78 VirtualAlloc 6901->6905 6903 408c41 6902->6903 6902->6904 6903->6901 6904->6893 6904->6899 6905->6904 6906 408c92 HeapFree 6905->6906 6906->6904 6908 408cd2 VirtualAlloc 6907->6908 6910 4089e6 6908->6910 6910->6899 6912 403aea 6911->6912 6913 403adf 6911->6913 6927 402b81 6912->6927 6930 403c16 GetTempFileNameA DeleteFileA 6912->6930 6995 40341c 6913->6995 6917 403bb0 6919 403bd0 wsprintfA 6917->6919 6925 403bf6 DeleteFileA 6917->6925 6917->6927 6918 403b30 lstrcpyA lstrlenA 6920 403ba8 6918->6920 6926 403b54 6918->6926 6991 4014b7 FindFirstFileA 6919->6991 6967 403ed7 6920->6967 6922 403b5f wsprintfA 6924 4014b7 2 API calls 6922->6924 6924->6926 6925->6917 6926->6920 6926->6922 6928 403b85 6926->6928 6927->6787 6927->6788 6928->6926 7001 40549a CreateFileA 6928->7001 6931 403c83 6930->6931 6932 401516 4 API calls 6931->6932 6933 403c8e lstrcatA 6932->6933 7010 40435e 6933->7010 6936 403cc4 GetModuleFileNameA 7025 401756 6936->7025 6939 40712a 6 API calls 6940 403d05 6939->6940 7035 4017f8 SetFilePointer 6940->7035 6942 403d17 6943 403d3f 6942->6943 6944 403d1f SendDlgItemMessageA 6942->6944 6945 403e4b 6943->6945 6946 403d4d wsprintfA 6943->6946 6949 403e69 DeleteFileA 6943->6949 6958 403e91 6943->6958 7036 40180d ReadFile 6943->7036 7037 40182f WriteFile 6943->7037 7038 4037b1 6943->7038 7044 401851 CloseHandle 6943->7044 7045 40507f 6943->7045 6944->6943 7054 401851 CloseHandle 6945->7054 6947 401756 12 API calls 6946->6947 6947->6943 7062 401851 CloseHandle 6949->7062 6950 403e53 6964 403b0a 6950->6964 7055 4070fb 6950->7055 6953 403e7e 6955 403e8c 6953->6955 6956 4070fb ctype 4 API calls 6953->6956 6955->6964 6956->6955 6960 403ea8 6958->6960 6962 4070fb ctype 4 API calls 6958->6962 7063 401851 CloseHandle 6960->7063 6962->6960 6964->6917 6964->6918 6968 403f1e 6967->6968 6969 401516 4 API calls 6968->6969 6970 403f3f 6969->6970 6971 403276 2 API calls 6970->6971 6972 403f4a 6971->6972 6973 40412d lstrcpynA 6972->6973 6974 403f5b 6973->6974 6975 403fbb wsprintfA 6974->6975 6983 403f95 6974->6983 7167 4041d0 6974->7167 6977 4014b7 2 API calls 6975->6977 6988 403fea 6977->6988 6978 403fae 6978->6975 6978->6983 6979 401756 12 API calls 6979->6988 6980 40411f 7191 401851 CloseHandle 6980->7191 6983->6917 6984 404075 wsprintfA 7182 40dd31 6984->7182 6985 404047 SendDlgItemMessageA SendDlgItemMessageA SendDlgItemMessageA 6985->6984 6988->6979 6988->6980 6988->6983 6988->6984 6988->6985 6989 4040db wsprintfA 6988->6989 7179 40dc8d 6988->7179 7190 401851 CloseHandle 6988->7190 6990 4014b7 2 API calls 6989->6990 6990->6988 6992 401510 6991->6992 6993 4014f4 FindClose 6991->6993 6992->6917 6993->6992 6996 4050c3 6 API calls 6995->6996 6997 403422 lstrlenA 6996->6997 6998 403438 6997->6998 6999 405109 4 API calls 6998->6999 7000 40343f 6999->7000 7000->6912 7002 40551c 7001->7002 7003 4054bf GetFileSize CreateFileMappingA 7001->7003 7002->6928 7004 405514 CloseHandle 7003->7004 7005 4054df MapViewOfFile 7003->7005 7004->7002 7006 4054f2 7005->7006 7007 40550c CloseHandle 7005->7007 7405 405521 7006->7405 7007->7004 7064 40412d lstrcpynA 7010->7064 7012 404390 7066 40456b 7012->7066 7014 40439f 7023 403cb6 7014->7023 7024 40456b 13 API calls 7014->7024 7069 40450c 7014->7069 7016 404420 LoadStringA 7017 40144c 2 API calls 7016->7017 7018 404450 LoadStringA 7017->7018 7019 40144c 2 API calls 7018->7019 7020 40447b wsprintfA 7019->7020 7072 407b80 7020->7072 7023->6936 7023->6964 7024->7014 7026 40176b 7025->7026 7027 4017c6 CreateFileA 7026->7027 7028 40179a lstrlenA 7026->7028 7030 4017e1 7027->7030 7031 4017f2 7027->7031 7028->7027 7029 4017a6 7028->7029 7029->7027 7034 4017bb lstrcpyA 7029->7034 7134 4021d1 GetLastError FormatMessageA 7030->7134 7031->6939 7031->6964 7034->7027 7035->6942 7036->6943 7037->6943 7039 4037cf PeekMessageA 7038->7039 7040 4037f4 7039->7040 7041 4037de TranslateMessage DispatchMessageA 7039->7041 7040->7039 7042 4037f9 Sleep 7040->7042 7043 40380e SendDlgItemMessageA 7040->7043 7041->7039 7042->7040 7043->6943 7044->6943 7138 4050c3 7045->7138 7048 4050b9 7151 405109 7048->7151 7049 4050a9 7142 405160 7049->7142 7054->6950 7056 407104 ctype 7055->7056 7057 407128 7055->7057 7058 407110 7056->7058 7059 40711a HeapFree 7056->7059 7057->6964 7161 4085db 7058->7161 7059->7057 7061 407116 7061->6964 7062->6953 7063->6964 7065 404149 7064->7065 7065->7012 7077 405723 GetModuleHandleA GetProcAddress 7066->7077 7070 404528 LoadStringA 7069->7070 7070->7016 7097 4097b1 7072->7097 7075 4044c7 MessageBoxA 7075->7014 7075->7023 7078 40578d 7077->7078 7081 4057b4 7077->7081 7079 405792 lstrcpyA lstrcatA 7078->7079 7078->7081 7079->7081 7080 405812 7083 405839 GetDiskFreeSpaceA 7080->7083 7091 4058b0 LoadLibraryA GetProcAddress 7080->7091 7081->7080 7082 4057ef GetDiskFreeSpaceExA 7081->7082 7084 405803 GetLastError 7082->7084 7087 40459e 7082->7087 7086 40585d 7083->7086 7084->7080 7084->7087 7086->7087 7095 405967 LoadLibraryA GetProcAddress 7086->7095 7087->7014 7092 4058ec lstrlenA 7091->7092 7093 405832 7091->7093 7092->7093 7094 405900 lstrlenA 7092->7094 7093->7083 7093->7087 7094->7093 7096 4058a7 7095->7096 7096->7087 7098 407bae 7097->7098 7100 4097d6 __aulldiv __aullrem 7097->7100 7098->7075 7104 40969c 7098->7104 7099 409ef2 12 API calls 7099->7100 7100->7098 7100->7099 7101 40bdb2 WideCharToMultiByte 7100->7101 7102 409f27 12 API calls 7100->7102 7103 409f58 12 API calls 7100->7103 7101->7100 7102->7100 7103->7100 7106 4096b2 7104->7106 7113 409736 7104->7113 7105 40970d 7107 409717 7105->7107 7108 40977b 7105->7108 7106->7105 7106->7113 7116 40bc8f 7106->7116 7110 40972e 7107->7110 7114 40973e 7107->7114 7109 40bae2 6 API calls 7108->7109 7109->7113 7119 40bae2 7110->7119 7113->7075 7114->7113 7129 40ba48 7114->7129 7117 40712a 6 API calls 7116->7117 7118 40bc9f 7117->7118 7118->7105 7121 40bafd 7119->7121 7125 40bb2c 7119->7125 7120 40bb40 7123 40bc12 WriteFile 7120->7123 7126 40bb51 7120->7126 7121->7120 7122 40ba48 2 API calls 7121->7122 7121->7125 7122->7120 7124 40bc34 GetLastError 7123->7124 7123->7125 7124->7125 7125->7113 7126->7125 7127 40bb9d WriteFile 7126->7127 7127->7126 7128 40bc07 GetLastError 7127->7128 7128->7125 7130 40ba57 7129->7130 7133 40ba80 7129->7133 7131 40ba8c SetFilePointer 7130->7131 7130->7133 7132 40baa4 GetLastError 7131->7132 7131->7133 7132->7133 7133->7113 7135 4017e9 MessageBoxA 7134->7135 7136 4021fb 7134->7136 7135->7031 7136->7135 7137 4075ba 6 API calls 7136->7137 7137->7136 7139 405088 CreateFileA 7138->7139 7140 4050cc 7138->7140 7139->7048 7139->7049 7155 407c8f 7140->7155 7143 405170 7142->7143 7144 4050af CloseHandle 7142->7144 7145 407c8f 6 API calls 7143->7145 7144->7048 7146 405183 SetFilePointer 7145->7146 7147 4051a5 ReadFile 7146->7147 7148 4051d2 7147->7148 7149 4051ab 7147->7149 7158 407c9d 7148->7158 7149->7147 7149->7148 7152 405112 7151->7152 7153 4050be 7151->7153 7154 407c9d ctype 4 API calls 7152->7154 7153->6943 7154->7153 7156 40713c 6 API calls 7155->7156 7157 407c9a 7156->7157 7157->7139 7159 4070fb ctype 4 API calls 7158->7159 7160 407ca6 7159->7160 7160->7144 7162 408622 7161->7162 7163 4088ce ctype 7162->7163 7164 408814 VirtualFree 7162->7164 7163->7061 7165 408878 7164->7165 7165->7163 7166 408887 VirtualFree HeapFree 7165->7166 7166->7163 7168 40421d wsprintfA 7167->7168 7169 4014b7 2 API calls 7168->7169 7170 40422d 7169->7170 7170->7168 7171 40433e 7170->7171 7176 404271 LoadStringA 7170->7176 7192 401000 CreateFileA 7170->7192 7172 404347 7171->7172 7174 40435e 34 API calls 7171->7174 7172->6978 7175 404359 7174->7175 7175->6978 7177 40144c 2 API calls 7176->7177 7178 4042e5 GetSystemDirectoryA lstrcpynA wsprintfA MessageBoxA 7177->7178 7178->7171 7201 40180d ReadFile 7179->7201 7180 40dca3 7180->6988 7202 40df57 7182->7202 7185 40dd9f 7186 40de96 7185->7186 7188 401756 12 API calls 7185->7188 7216 40e7b2 7185->7216 7221 40185c 7185->7221 7250 40e26a 7185->7250 7186->6988 7188->7185 7190->6988 7191->6983 7193 40103b CreateFileMappingA 7192->7193 7194 4010bc 7192->7194 7195 4010b3 CloseHandle 7193->7195 7196 40104f MapViewOfFile 7193->7196 7194->7170 7195->7194 7197 4010a9 CloseHandle 7196->7197 7198 401062 7196->7198 7197->7195 7199 40109d UnmapViewOfFile 7198->7199 7200 40109c 7198->7200 7199->7197 7200->7199 7201->7180 7203 40dfda 7202->7203 7213 40e01c 7203->7213 7260 40180d ReadFile 7203->7260 7204 40e014 7205 40e1b2 7204->7205 7204->7213 7264 40e930 7204->7264 7208 40e930 ReadFile 7205->7208 7212 40e1f4 7205->7212 7205->7213 7207 40e19c 7209 40e930 ReadFile 7207->7209 7207->7213 7210 40e1e2 7208->7210 7209->7205 7211 40e930 ReadFile 7210->7211 7210->7213 7211->7212 7212->7213 7261 40e5a2 7212->7261 7213->7185 7269 40180d ReadFile 7216->7269 7217 40e7c6 7218 40e930 ReadFile 7217->7218 7219 40e7e0 7217->7219 7218->7219 7219->7185 7222 4037b1 4 API calls 7221->7222 7223 401889 7222->7223 7224 40189d 7223->7224 7225 401905 7223->7225 7226 401897 7223->7226 7224->7185 7227 401919 7225->7227 7232 40456b 13 API calls 7225->7232 7228 4018c9 7226->7228 7229 40189a 7226->7229 7227->7224 7230 4045c0 11 API calls 7227->7230 7270 404749 7228->7270 7229->7224 7233 4018a5 wsprintfA 7229->7233 7236 401943 7230->7236 7232->7227 7233->7224 7236->7224 7239 4014b7 2 API calls 7236->7239 7237 4018e9 7292 401851 CloseHandle 7237->7292 7241 401981 7239->7241 7240 4018f1 7293 4046ae 7240->7293 7243 401990 7241->7243 7245 401997 7241->7245 7243->7224 7244 4019c5 GetFileAttributesA SetFileAttributesA 7243->7244 7246 401756 12 API calls 7244->7246 7301 404823 7245->7301 7246->7224 7249 4019bb 7249->7224 7372 40e656 7250->7372 7252 40e27d 7253 40e318 7252->7253 7254 40e2ca 7252->7254 7256 40e2a7 7252->7256 7379 40e3b0 7252->7379 7259 40185c 97 API calls 7253->7259 7254->7253 7254->7256 7257 40e3b0 98 API calls 7254->7257 7378 40182f WriteFile 7254->7378 7256->7185 7257->7254 7259->7256 7260->7204 7263 40185c 97 API calls 7261->7263 7262 40e5ec 7262->7213 7263->7262 7265 40e94b 7264->7265 7268 40180d ReadFile 7265->7268 7266 40e95d 7266->7207 7268->7266 7269->7217 7271 4018d4 7270->7271 7272 404761 7270->7272 7279 4045c0 lstrcpyA 7271->7279 7272->7271 7273 404796 CharNextA 7272->7273 7274 40479f 7272->7274 7273->7274 7275 40144c 2 API calls 7274->7275 7276 4047b8 7275->7276 7277 4047d5 wsprintfA SetDlgItemTextA SendDlgItemMessageA 7276->7277 7278 4047bf LoadStringA 7276->7278 7277->7271 7278->7277 7280 404603 7279->7280 7281 404617 lstrcpyA 7280->7281 7282 404671 lstrcatA 7281->7282 7283 40462f 7281->7283 7282->7237 7283->7282 7284 404642 lstrcatA 7283->7284 7285 404655 7283->7285 7284->7285 7323 40149e GetFileAttributesA 7285->7323 7288 404669 7290 403276 2 API calls 7288->7290 7289 401516 4 API calls 7289->7288 7291 404670 7290->7291 7291->7282 7292->7240 7294 401756 12 API calls 7293->7294 7295 4046cf 7294->7295 7296 404736 SetFileAttributesA 7295->7296 7297 4046da DosDateTimeToFileTime 7295->7297 7296->7224 7298 40472c CloseHandle 7297->7298 7299 4046fd LocalFileTimeToFileTime 7297->7299 7298->7296 7299->7298 7300 404719 SetFileTime 7299->7300 7300->7298 7302 40483a GetParent 7301->7302 7303 404835 7301->7303 7302->7303 7304 404850 IsWindowEnabled 7303->7304 7305 40486a 7303->7305 7304->7305 7307 40485b EnableWindow 7304->7307 7325 405b28 7305->7325 7307->7305 7309 40489a ShowWindow UpdateWindow 7311 4048b3 7309->7311 7312 404908 SetWindowPos 7309->7312 7310 40491c 7313 404921 EnableWindow 7310->7313 7314 40492a 7310->7314 7318 4048c6 PeekMessageA 7311->7318 7322 404905 7311->7322 7312->7310 7313->7314 7315 40492e GetActiveWindow 7314->7315 7316 40493f DestroyWindow 7314->7316 7315->7316 7319 404938 SetActiveWindow 7315->7319 7317 4019a7 7316->7317 7317->7224 7317->7244 7317->7249 7318->7311 7320 4048d5 IsDialogMessageA 7318->7320 7319->7316 7320->7318 7321 4048e6 TranslateMessage DispatchMessageA 7320->7321 7321->7318 7322->7312 7324 4014ad 7323->7324 7324->7288 7324->7289 7326 405b32 __EH_prolog 7325->7326 7338 4051e5 GetModuleHandleA FindResourceA LoadResource SizeofResource LockResource 7326->7338 7331 405bb2 CreateDialogIndirectParamA 7360 40525a 7331->7360 7332 405b77 GetSystemDefaultLCID 7350 40557f GetDC lstrcpynA lstrcpynA EnumFontFamiliesExA 7332->7350 7336 405b9d 7356 405310 7336->7356 7363 40527c GlobalAlloc 7338->7363 7340 40522c 7341 405a65 7340->7341 7342 40144c 2 API calls 7341->7342 7343 405aa5 7342->7343 7344 405aac GetModuleHandleA LoadStringA 7343->7344 7347 405aca 7343->7347 7345 405b16 7344->7345 7344->7347 7345->7331 7345->7332 7346 405ae1 7346->7345 7349 405b0c lstrcpyA 7346->7349 7347->7346 7366 4079ef 7347->7366 7349->7345 7351 4055f6 GetStockObject 7350->7351 7355 4055f0 lstrcpyA ReleaseDC lstrcmpiA 7350->7355 7353 405624 GetObjectA 7351->7353 7354 40561c GetStockObject 7351->7354 7353->7355 7354->7353 7354->7355 7355->7336 7357 405327 7356->7357 7359 405394 ctype 7356->7359 7358 405373 MultiByteToWideChar 7357->7358 7357->7359 7358->7359 7359->7331 7361 40488a 7360->7361 7362 40526a GlobalUnlock GlobalFree 7360->7362 7361->7309 7361->7310 7362->7361 7364 4052b0 7363->7364 7365 405299 GlobalLock 7363->7365 7364->7340 7365->7364 7368 4079f7 7366->7368 7367 4091fa 6 API calls 7367->7368 7368->7367 7370 407a25 7368->7370 7369 4091fa 6 API calls 7369->7370 7370->7369 7371 407a6c 7370->7371 7371->7346 7373 40e665 7372->7373 7374 40e69e 7372->7374 7373->7374 7389 40e6bb 7373->7389 7374->7252 7376 40e694 7376->7374 7377 40e3b0 98 API calls 7376->7377 7377->7374 7378->7254 7380 40e3d4 7379->7380 7381 40e3da 7379->7381 7397 40e450 7380->7397 7388 40e40d 7381->7388 7394 40e7fa 7381->7394 7384 40e3e9 7385 40e450 98 API calls 7384->7385 7384->7388 7386 40e3fc 7385->7386 7387 40e7fa ReadFile 7386->7387 7386->7388 7387->7388 7388->7252 7390 40e6ef 7389->7390 7391 40e709 7390->7391 7393 40180d ReadFile 7390->7393 7391->7376 7393->7391 7404 40180d ReadFile 7394->7404 7395 40e81c 7395->7384 7398 40e4a4 7397->7398 7399 40df57 98 API calls 7398->7399 7400 40e568 7398->7400 7401 40e6bb ReadFile 7398->7401 7402 40e541 7398->7402 7399->7398 7400->7381 7401->7398 7402->7400 7403 40e7b2 ReadFile 7402->7403 7403->7402 7404->7395 7412 405445 lstrlenA 7405->7412 7408 405500 UnmapViewOfFile 7408->7007 7409 40553b lstrlenA 7410 40554c 7409->7410 7411 407c9d ctype 4 API calls 7410->7411 7411->7408 7413 407c8f 6 API calls 7412->7413 7414 40546e 7413->7414 7414->7408 7414->7409 8391 40c702 SetUnhandledExceptionFilter 8216 401744 8217 401754 8216->8217 8218 40174b 8216->8218 8219 4070fb ctype 4 API calls 8218->8219 8219->8217 8392 40498d 8393 4049ab 8392->8393 8396 40499a 8392->8396 8394 4030d7 9 API calls 8393->8394 8395 4049ba SetDlgItemTextA 8394->8395 8395->8396 8220 407bd2 8221 407bd7 8220->8221 8224 40a00b GetModuleHandleA 8221->8224 8223 407bdc 8225 40a01a GetProcAddress 8224->8225 8226 40a02a 8224->8226 8225->8226 8226->8223 8397 408093 8398 40a46f 4 API calls 8397->8398 8399 4080b9 8398->8399 8227 403958 LoadStringA 8228 40397e 8227->8228 8229 403986 8228->8229 8230 4079ef 6 API calls 8228->8230 8231 40557f 10 API calls 8229->8231 8230->8229 8232 4039b7 8231->8232 8233 40144c 2 API calls 8232->8233 8234 4039cb wsprintfA SetWindowTextA SendMessageA 8233->8234 8235 40144c 2 API calls 8234->8235 8236 403a24 wsprintfA SendMessageA SendMessageA 8235->8236 8237 40b95c 8238 40b96a 8237->8238 8239 40b922 8238->8239 8240 40b96e LCMapStringW 8238->8240 8240->8239 8241 40b986 WideCharToMultiByte 8240->8241 8241->8239 8404 40bd9e 8410 40cc68 8404->8410 8406 40bdb1 8408 40bda3 8408->8406 8409 4070fb ctype 4 API calls 8408->8409 8413 40d755 8408->8413 8409->8408 8423 40cc71 8410->8423 8414 40d765 8413->8414 8415 40d76a 8413->8415 8414->8408 8415->8414 8427 40cc0c 8415->8427 8421 40d784 8421->8414 8422 4070fb ctype 4 API calls 8421->8422 8422->8414 8424 40cc6f 8423->8424 8426 40cc82 8423->8426 8424->8408 8425 40cbd1 8 API calls 8425->8426 8426->8424 8426->8425 8428 40cc22 8427->8428 8430 40cc3d 8427->8430 8429 40bae2 6 API calls 8428->8429 8428->8430 8429->8430 8431 40db51 8430->8431 8432 40db5d 8431->8432 8434 40d77c 8431->8434 8433 4070fb ctype 4 API calls 8432->8433 8432->8434 8433->8434 8435 40da9e 8434->8435 8438 40db1f 8435->8438 8439 40dab2 8435->8439 8436 40db17 8442 40ca45 8436->8442 8438->8421 8439->8436 8439->8438 8440 40db01 CloseHandle 8439->8440 8440->8436 8441 40db0d GetLastError 8440->8441 8441->8436 8443 40ca9e 8442->8443 8445 40ca53 8442->8445 8443->8438 8444 40ca98 SetStdHandle 8444->8443 8445->8443 8445->8444 8243 4084e2 8250 4093f6 8243->8250 8246 4084fb 8248 40b641 7 API calls 8246->8248 8247 40b608 7 API calls 8247->8246 8249 408504 8248->8249 8253 409407 8250->8253 8254 409413 GetCurrentProcess TerminateProcess 8253->8254 8257 409424 8253->8257 8254->8257 8255 4084ed 8255->8246 8255->8247 8256 40948e ExitProcess 8257->8255 8257->8256 8258 402f62 8259 403026 8258->8259 8260 402f79 8258->8260 8261 402fd8 LoadStringA LoadStringA 8260->8261 8262 402fb9 8260->8262 8263 402fd3 8261->8263 8264 40144c 2 API calls 8262->8264 8265 403002 lstrcpyA 8263->8265 8266 40300d MessageBoxA 8263->8266 8267 402fc4 8264->8267 8265->8266 8268 40144c 2 API calls 8267->8268 8268->8263 7415 406723 7416 40673c 7415->7416 7417 406c9d 7416->7417 7418 40675d 7416->7418 7420 406c96 7417->7420 7421 406caa 7417->7421 7419 406763 7418->7419 7418->7420 7428 406c50 7419->7428 7429 406776 7419->7429 7443 406805 7419->7443 7420->7443 7546 4066b0 7420->7546 7422 406cb5 7421->7422 7423 406dec 7421->7423 7424 406cbc 7422->7424 7425 406d4e GetDlgItem GetDlgItem GetDlgItem 7422->7425 7426 406df7 SetWindowTextA 7423->7426 7427 406dfc LoadStringA 7423->7427 7430 406cc0 7424->7430 7431 406d33 7424->7431 7433 406d84 7425->7433 7434 406d88 ShowWindow 7425->7434 7426->7443 7427->7426 7427->7443 7428->7443 7513 4063a5 BeginPaint SetTextColor SetBkColor SetBkMode MapDialogRect 7428->7513 7436 406bbf 7429->7436 7437 40677f 7429->7437 7438 406cc7 9 API calls 7430->7438 7430->7443 7431->7443 7444 40613f 50 API calls 7431->7444 7439 406d8f KiUserCallbackDispatcher 7433->7439 7434->7439 7442 406bc7 GetSysColorBrush GetClientRect FillRect DeleteObject 7436->7442 7436->7443 7440 406788 7437->7440 7441 406aaa 7437->7441 7438->7443 7447 406da2 7439->7447 7448 406da6 ShowWindow 7439->7448 7449 406793 7440->7449 7450 406906 7440->7450 7441->7443 7446 406ab7 8 API calls 7441->7446 7451 406c02 6 API calls 7442->7451 7444->7443 7544 407080 7446->7544 7453 406daf KiUserCallbackDispatcher 7447->7453 7448->7453 7449->7443 7454 40679a GetWindowLongA 7449->7454 7499 406194 7 API calls 7450->7499 7451->7443 7459 406dbc ShowWindow ShowWindow 7453->7459 7460 406dcd ShowWindow ShowWindow EnableWindow 7453->7460 7461 4068d0 SendMessageA 7454->7461 7462 4067bd 7454->7462 7457 40690c 7502 40611c 7457->7502 7459->7443 7460->7443 7464 4068f3 7461->7464 7496 4068af 7461->7496 7465 4068b4 SendMessageA 7462->7465 7466 4067c6 7462->7466 7463 407080 7471 406b82 TextOutA SetBkMode SetTextColor SelectObject DeleteObject 7463->7471 7472 405c68 5 API calls 7464->7472 7465->7443 7468 4067d1 7466->7468 7469 40686f SendMessageA 7466->7469 7474 4067d4 7468->7474 7475 406827 SendMessageA 7468->7475 7469->7443 7473 40688c 7469->7473 7470 40691a 7478 406935 GetDlgItem ShowWindow GetDlgItem ShowWindow 7470->7478 7479 406957 7470->7479 7471->7443 7472->7496 7477 40684a 7473->7477 7490 406892 7473->7490 7474->7443 7476 4067db SendMessageA 7474->7476 7475->7443 7480 406844 7475->7480 7481 4067f8 7476->7481 7482 406809 IsWindow 7476->7482 7540 40613f 7477->7540 7478->7479 7483 406973 7479->7483 7484 40695d GetWindowLongA SetWindowLongA 7479->7484 7480->7477 7485 406857 7480->7485 7533 405c68 7481->7533 7482->7443 7488 406816 SetFocus 7482->7488 7489 406986 15 API calls 7483->7489 7491 406a6f 7483->7491 7484->7483 7493 40611c 50 API calls 7485->7493 7488->7443 7489->7491 7490->7443 7494 40611c 50 API calls 7490->7494 7507 405be5 7491->7507 7493->7443 7494->7496 7496->7443 7497 406a8a 7498 40611c 50 API calls 7497->7498 7498->7443 7500 407080 7499->7500 7501 406248 9 API calls 7500->7501 7501->7457 7503 406129 7502->7503 7504 40613c 7502->7504 7552 405f7b GetWindowLongA 7503->7552 7504->7470 7508 405bf1 GetDesktopWindow 7507->7508 7509 405bfa GetWindowRect 7507->7509 7508->7509 7510 405c65 ShowWindow 7509->7510 7511 405c0e GetWindowRect 7509->7511 7510->7497 7511->7510 7512 405c1b SetWindowPos 7511->7512 7512->7510 7570 4062ca 6 API calls 7513->7570 7516 4064f0 7521 40650e 7516->7521 7573 405e4a GetDC SendMessageA GetObjectA 7516->7573 7517 40644f CreateCompatibleDC SelectObject 7518 406479 SelectPalette RealizePalette SelectPalette RealizePalette 7517->7518 7519 40649f BitBlt 7517->7519 7518->7519 7523 4064c5 7519->7523 7524 4064ca SelectPalette SelectPalette 7519->7524 7522 4065aa 7521->7522 7525 40655c LoadStringA 7521->7525 7526 40654c lstrcpynA 7521->7526 7527 40667d SetTextColor SetBkColor SetBkMode EndPaint 7522->7527 7530 4065fc LoadStringA 7522->7530 7531 4065ec lstrcpynA 7522->7531 7523->7524 7528 4064db SelectObject DeleteDC 7523->7528 7524->7528 7529 406570 SelectObject lstrlenA TextOutA SelectObject 7525->7529 7526->7529 7527->7443 7528->7516 7529->7522 7532 406610 6 API calls 7530->7532 7531->7532 7532->7527 7534 405c99 KiUserCallbackDispatcher 7533->7534 7535 405c7f 7533->7535 7537 405ca7 7534->7537 7538 405cad 7534->7538 7535->7534 7536 405c89 KiUserCallbackDispatcher 7535->7536 7536->7535 7586 405d93 7537->7586 7538->7443 7541 406151 7540->7541 7542 406162 7540->7542 7541->7542 7543 405f7b 50 API calls 7541->7543 7542->7443 7543->7542 7545 406b57 TextOutA SetBkMode GetSysColor SetTextColor 7544->7545 7545->7463 7547 406720 7546->7547 7548 4066bd 7546->7548 7547->7443 7548->7547 7549 4066d0 GetDC SelectPalette RealizePalette 7548->7549 7550 4066f8 InvalidateRect UpdateWindow 7549->7550 7551 40670a SelectPalette RealizePalette ReleaseDC 7549->7551 7550->7551 7551->7547 7553 405fdd 7552->7553 7554 405faf SendMessageA 7552->7554 7556 40609c SendMessageA 7553->7556 7557 405b28 33 API calls 7553->7557 7555 405fd0 ShowWindow 7554->7555 7566 4060cb 7554->7566 7555->7553 7558 4060b9 7556->7558 7556->7566 7559 40600d 7557->7559 7560 4060c0 7558->7560 7561 4060cf InvalidateRect ShowWindow SetActiveWindow GetNextDlgTabItem 7558->7561 7564 40601b GetWindowLongA SetWindowLongA GetWindowLongA SetWindowLongA KiUserCallbackDispatcher 7559->7564 7559->7566 7565 40613f 33 API calls 7560->7565 7562 406100 GetNextDlgTabItem 7561->7562 7563 406109 SetFocus 7561->7563 7562->7563 7563->7566 7568 406061 7564->7568 7569 406076 MapDialogRect SetWindowPos 7564->7569 7565->7566 7566->7470 7568->7569 7569->7556 7571 40637f 7570->7571 7572 406360 GetObjectA 7570->7572 7571->7516 7571->7517 7572->7571 7574 405a65 11 API calls 7573->7574 7575 405ec0 7574->7575 7576 405efe GetDeviceCaps MulDiv GetSystemDefaultLCID 7575->7576 7577 405ed6 GetSystemDefaultLCID 7575->7577 7578 405f29 7576->7578 7579 405f2d CreateFontIndirectA 7576->7579 7580 40557f 10 API calls 7577->7580 7578->7579 7581 405f41 7579->7581 7582 405f65 ReleaseDC 7579->7582 7583 405efb 7580->7583 7584 405f52 GetDeviceCaps MulDiv 7581->7584 7585 405f45 GetObjectA 7581->7585 7582->7521 7583->7576 7584->7582 7585->7584 7587 405dda 7586->7587 7591 405d9c 7586->7591 7588 405dfd 7587->7588 7589 405def DeleteObject 7587->7589 7588->7538 7589->7588 7594 405cd0 7591->7594 7593 405cd0 2 API calls 7593->7587 7595 405cd7 GetProcessHeap HeapFree 7594->7595 7596 405cea 7594->7596 7595->7596 7596->7593 8269 40c066 8270 40c098 8269->8270 8274 40c07b 8269->8274 8271 40c0b6 8270->8271 8272 4091fa 6 API calls 8270->8272 8273 40b794 9 API calls 8271->8273 8271->8274 8272->8271 8273->8274 8446 40b8a8 8447 40b8b7 8446->8447 8448 40b8bc MultiByteToWideChar 8447->8448 8449 40b922 8447->8449 8448->8449 8450 40b8d5 LCMapStringW 8448->8450 8450->8449 8451 40b8f0 8450->8451 8452 40b8f6 8451->8452 8454 40b936 8451->8454 8452->8449 8453 40b904 LCMapStringW 8452->8453 8453->8449 8454->8449 8455 40b96e LCMapStringW 8454->8455 8455->8449 8456 40b986 WideCharToMultiByte 8455->8456 8456->8449 8458 40b528 8461 40b530 8458->8461 8459 40b5c2 8461->8459 8462 4082e8 RtlUnwind 8461->8462 8463 408300 8462->8463 8463->8461 8464 402728 8465 402738 8464->8465 8468 4027f1 8464->8468 8466 402798 GetDlgItem SendMessageA 8465->8466 8467 40273f 8465->8467 8473 4027c4 8466->8473 8477 4027cb 8466->8477 8470 402742 8467->8470 8471 40276d 8467->8471 8469 4027ec 8468->8469 8472 40280b PostMessageA PostMessageA 8468->8472 8470->8469 8474 402751 SendDlgItemMessageA 8470->8474 8471->8469 8475 402777 GetParent GetDlgItem SetFocus 8471->8475 8472->8469 8481 403813 GetWindowLongA SetWindowLongA lstrlenA 8473->8481 8474->8469 8475->8469 8484 404fd9 FindResourceA 8477->8484 8480 4030d7 9 API calls 8480->8469 8488 401e6d 8481->8488 8485 404ff2 LoadResource LockResource 8484->8485 8486 4027dd 8484->8486 8485->8486 8487 40500c 7 API calls 8485->8487 8486->8480 8487->8486 8489 401e76 SendMessageA SetWindowLongA SendMessageA SetFocus 8488->8489 8489->8477 8192 4026a9 8193 4026b4 8192->8193 8194 4026d5 LoadIconA SendMessageA LoadImageA SendMessageA 8192->8194 8196 4026cf 8193->8196 8211 404f72 8193->8211 8198 40302a 8194->8198 8199 40144c 2 API calls 8198->8199 8200 403067 8199->8200 8201 403074 SetDlgItemTextA 8200->8201 8202 403085 8200->8202 8201->8202 8203 40144c 2 API calls 8202->8203 8204 403095 8203->8204 8205 40309c SetDlgItemTextA 8204->8205 8206 4030ad 8204->8206 8205->8206 8207 40144c 2 API calls 8206->8207 8208 4030bd 8207->8208 8209 4030d2 8208->8209 8210 4030c4 SetDlgItemTextA 8208->8210 8209->8196 8210->8209 8212 404fd8 8211->8212 8213 404f7b GetDC SelectPalette RealizePalette 8211->8213 8212->8196 8214 404fc0 SelectPalette RealizePalette ReleaseDC 8213->8214 8215 404fae InvalidateRect UpdateWindow 8213->8215 8214->8212 8215->8214 8275 40566b 8276 405684 lstrcmpiA 8275->8276 8277 40567a lstrcpyA 8275->8277 8276->8277 8278 40569f 8276->8278 8277->8278 8280 40936c 8281 409373 8280->8281 8282 4093a4 8281->8282 8283 40937b MultiByteToWideChar 8281->8283 8283->8282 8284 409394 GetStringTypeW 8283->8284 8284->8282 8490 40b530 8491 40b5c2 8490->8491 8493 40b54e 8490->8493 8492 4082e8 RtlUnwind 8492->8493 8493->8491 8493->8492 8494 401731 8495 401742 8494->8495 8496 401739 8494->8496 8497 40712a 6 API calls 8496->8497 8497->8495 8498 403732 8499 403748 8498->8499 8500 403739 8498->8500 8501 4049d5 37 API calls 8500->8501 8501->8499 8502 40c6b3 8503 4084ed 7 API calls 8502->8503 8504 40c6ba 8503->8504 8285 40a0f4 8286 40a102 8285->8286 8287 40a11d 8285->8287 8292 40c4c8 8286->8292 8295 40c4f5 8287->8295 8290 40a10b 8291 40a126 8298 40ce7f 8292->8298 8294 40c4e4 8294->8290 8296 40ce7f 6 API calls 8295->8296 8297 40c511 8296->8297 8297->8291 8302 40ceba 8298->8302 8299 4091fa 6 API calls 8299->8302 8300 4091fa 6 API calls 8301 40d16f 8300->8301 8301->8300 8304 40d1ba 8301->8304 8302->8299 8302->8301 8305 40d167 8302->8305 8303 4091fa 6 API calls 8303->8304 8304->8303 8304->8305 8305->8294 8306 40c7f4 8307 40b641 7 API calls 8306->8307 8308 40c7fb 8307->8308 8313 40d5e3 8308->8313 8311 40c80b 8312 4093f6 3 API calls 8312->8311 8314 40d5f1 8313->8314 8315 4093f6 3 API calls 8314->8315 8316 40c802 8314->8316 8315->8316 8316->8311 8316->8312 8505 40a034 8510 40c06b 8505->8510 8507 40a074 8508 4091fa 6 API calls 8509 40a042 8508->8509 8509->8507 8509->8508 8511 40c098 8510->8511 8514 40c07b 8510->8514 8512 4091fa 6 API calls 8511->8512 8513 40c0b6 8511->8513 8512->8513 8513->8514 8515 40b794 9 API calls 8513->8515 8514->8509 8515->8514 8516 405235 GetModuleHandleA 8317 4081f6 8318 408219 8317->8318 8320 40820a 8317->8320 8323 40a46f 8318->8323 8321 408240 8321->8320 8327 408044 RtlUnwind 8321->8327 8325 40a480 8323->8325 8326 40a48e 8325->8326 8328 40a50a 8325->8328 8326->8321 8327->8320 8331 40a522 8328->8331 8329 40a686 8332 40a6ac 8329->8332 8346 40a6b1 8329->8346 8331->8329 8334 40a57a 8331->8334 8335 40a671 8331->8335 8338 40c720 IsBadReadPtr 8331->8338 8334->8329 8336 40a5be 8334->8336 8335->8326 8336->8335 8340 40a86a 8336->8340 8339 40c736 8338->8339 8339->8334 8341 40a889 8340->8341 8342 40a87c 8340->8342 8373 408044 RtlUnwind 8341->8373 8350 40aa1b 8342->8350 8345 40a8a0 8345->8336 8348 40a6c1 8346->8348 8347 40a755 8347->8335 8348->8347 8349 40a86a 4 API calls 8348->8349 8349->8348 8351 40aa4f 8350->8351 8370 40aa93 ctype 8350->8370 8352 40aa74 8351->8352 8353 40aab8 8351->8353 8351->8370 8354 40c720 IsBadReadPtr 8352->8354 8355 40aac0 8353->8355 8356 40ab12 8353->8356 8358 40aa81 8354->8358 8357 40c720 IsBadReadPtr 8355->8357 8359 40ab20 8356->8359 8360 40ab5a 8356->8360 8361 40aacd 8357->8361 8358->8370 8374 40c73c IsBadWritePtr 8358->8374 8363 40c720 IsBadReadPtr 8359->8363 8362 40c720 IsBadReadPtr 8360->8362 8367 40c73c IsBadWritePtr 8361->8367 8361->8370 8365 40ab5f 8362->8365 8366 40ab25 8363->8366 8368 40c73c IsBadWritePtr 8365->8368 8365->8370 8369 40c73c IsBadWritePtr 8366->8369 8366->8370 8367->8370 8371 40ab6d 8368->8371 8369->8370 8370->8341 8371->8370 8376 40c758 IsBadCodePtr 8371->8376 8373->8345 8375 40c752 8374->8375 8375->8370 8377 40c76a 8376->8377 8377->8370 7597 4083f7 GetVersion 7623 408536 HeapCreate 7597->7623 7599 408456 7600 408463 7599->7600 7601 40845b 7599->7601 7630 40b37c 7600->7630 7701 408512 7601->7701 7605 40846b GetCommandLineA 7644 40b24a 7605->7644 7609 408485 7667 40af44 7609->7667 7611 40848a 7612 40848f GetStartupInfoA 7611->7612 7680 40aeec 7612->7680 7614 4084a1 7615 4084aa 7614->7615 7616 4084b3 GetModuleHandleA 7615->7616 7684 4010c2 7616->7684 7624 408556 7623->7624 7625 40856b 7623->7625 7716 408572 HeapAlloc 7624->7716 7625->7599 7628 40856e 7628->7599 7629 40855f HeapDestroy 7629->7625 7631 40712a 6 API calls 7630->7631 7632 40b38d 7631->7632 7633 40b39b GetStartupInfoA 7632->7633 7718 4084ed 7632->7718 7636 40b3e7 7633->7636 7642 40b4ac 7633->7642 7637 40b458 7636->7637 7640 40712a 6 API calls 7636->7640 7636->7642 7637->7642 7643 40b47a GetFileType 7637->7643 7638 40b513 SetHandleCount 7638->7605 7639 40b4d3 GetStdHandle 7641 40b4e1 GetFileType 7639->7641 7639->7642 7640->7636 7641->7642 7642->7638 7642->7639 7643->7637 7645 40b265 GetEnvironmentStringsW 7644->7645 7646 40b298 7644->7646 7647 40b279 GetEnvironmentStrings 7645->7647 7648 40b26d 7645->7648 7646->7648 7649 40b289 7646->7649 7647->7649 7651 40847b 7647->7651 7650 40b2a5 GetEnvironmentStringsW 7648->7650 7655 40b2b1 7648->7655 7649->7651 7652 40b337 7649->7652 7653 40b32b GetEnvironmentStrings 7649->7653 7650->7651 7650->7655 7707 40affd 7651->7707 7658 40712a 6 API calls 7652->7658 7653->7651 7653->7652 7654 40b2c6 WideCharToMultiByte 7656 40b2e5 7654->7656 7657 40b317 FreeEnvironmentStringsW 7654->7657 7655->7654 7655->7655 7659 40712a 6 API calls 7656->7659 7657->7651 7665 40b352 7658->7665 7660 40b2eb 7659->7660 7660->7657 7661 40b2f4 WideCharToMultiByte 7660->7661 7663 40b30e 7661->7663 7664 40b305 7661->7664 7662 40b368 FreeEnvironmentStringsA 7662->7651 7663->7657 7666 4070fb ctype 4 API calls 7664->7666 7665->7662 7666->7663 7668 40af51 7667->7668 7671 40af56 7667->7671 7744 40919a 7668->7744 7670 40712a 6 API calls 7672 40af83 7670->7672 7671->7670 7673 4084ed 7 API calls 7672->7673 7679 40af97 7672->7679 7673->7679 7674 40afda 7675 4070fb ctype 4 API calls 7674->7675 7676 40afe6 7675->7676 7676->7611 7677 40712a 6 API calls 7677->7679 7678 4084ed 7 API calls 7678->7679 7679->7674 7679->7677 7679->7678 7681 40aef5 7680->7681 7682 40aefa 7680->7682 7683 40919a 19 API calls 7681->7683 7682->7614 7683->7682 7786 401146 7684->7786 7687 4010ed 7691 4010f8 GetDesktopWindow 7687->7691 7695 401109 7687->7695 7692 402f63 6 API calls 7691->7692 7692->7695 7693 401111 7696 401135 ExitProcess 7693->7696 7694 401113 7697 4049d5 37 API calls 7694->7697 7839 4049d5 7695->7839 7698 401118 7697->7698 7698->7696 7699 401121 GetDesktopWindow 7698->7699 7700 402f63 6 API calls 7699->7700 7700->7693 7702 408520 7701->7702 7703 40851b 7701->7703 7705 40b641 7 API calls 7702->7705 7704 40b608 7 API calls 7703->7704 7704->7702 7706 408529 ExitProcess 7705->7706 7708 40b014 GetModuleFileNameA 7707->7708 7709 40b00f 7707->7709 7711 40b037 7708->7711 7710 40919a 19 API calls 7709->7710 7710->7708 7712 40712a 6 API calls 7711->7712 7713 40b058 7712->7713 7714 4084ed 7 API calls 7713->7714 7715 40b068 7713->7715 7714->7715 7715->7609 7717 40855b 7716->7717 7717->7628 7717->7629 7719 4084f6 7718->7719 7720 4084fb 7718->7720 7724 40b608 7719->7724 7730 40b641 7720->7730 7725 40b612 7724->7725 7726 40b641 7 API calls 7725->7726 7727 40b63f 7725->7727 7728 40b629 7726->7728 7727->7720 7729 40b641 7 API calls 7728->7729 7729->7727 7732 40b654 7730->7732 7731 408504 7731->7633 7732->7731 7733 40b76b 7732->7733 7734 40b694 7732->7734 7735 40b77e GetStdHandle WriteFile 7733->7735 7734->7731 7736 40b6a0 GetModuleFileNameA 7734->7736 7735->7731 7737 40b6b8 7736->7737 7739 40c84d 7737->7739 7740 40c85a LoadLibraryA 7739->7740 7741 40c89c 7739->7741 7740->7741 7742 40c86b GetProcAddress 7740->7742 7741->7731 7742->7741 7743 40c882 GetProcAddress GetProcAddress 7742->7743 7743->7741 7745 4091a3 7744->7745 7746 4091aa 7744->7746 7748 408dd6 7745->7748 7746->7671 7755 408f6f 7748->7755 7752 408e19 GetCPInfo 7753 408e2d 7752->7753 7754 408f63 7753->7754 7760 409015 GetCPInfo 7753->7760 7754->7746 7756 408f8f 7755->7756 7757 408f7f GetOEMCP 7755->7757 7758 408de7 7756->7758 7759 408f94 GetACP 7756->7759 7757->7756 7758->7752 7758->7753 7758->7754 7759->7758 7761 409100 7760->7761 7763 409038 7760->7763 7761->7754 7762 40926f 6 API calls 7764 4090b4 7762->7764 7763->7762 7768 40b794 7764->7768 7767 40b794 9 API calls 7767->7761 7769 40b7c4 LCMapStringW 7768->7769 7770 40b7e0 7768->7770 7769->7770 7771 40b7e8 LCMapStringA 7769->7771 7772 40b846 7770->7772 7773 40b829 LCMapStringA 7770->7773 7771->7770 7774 4090d8 7771->7774 7772->7774 7775 40b85c MultiByteToWideChar 7772->7775 7773->7774 7774->7767 7775->7774 7776 40b886 7775->7776 7776->7774 7777 40b8bc MultiByteToWideChar 7776->7777 7777->7774 7778 40b8d5 LCMapStringW 7777->7778 7778->7774 7779 40b8f0 7778->7779 7780 40b8f6 7779->7780 7782 40b936 7779->7782 7780->7774 7781 40b904 LCMapStringW 7780->7781 7781->7774 7782->7774 7783 40b96e LCMapStringW 7782->7783 7783->7774 7784 40b986 WideCharToMultiByte 7783->7784 7784->7774 7787 40712a 6 API calls 7786->7787 7788 401165 7787->7788 7789 40712a 6 API calls 7788->7789 7790 401174 7789->7790 7791 40712a 6 API calls 7790->7791 7792 401184 7791->7792 7793 40712a 6 API calls 7792->7793 7794 40118f 7793->7794 7795 40712a 6 API calls 7794->7795 7797 40119a 7795->7797 7796 4010d3 7796->7687 7808 402226 #17 7796->7808 7797->7796 7898 401240 RegOpenKeyExA 7797->7898 7800 40712a 6 API calls 7801 4011f2 7800->7801 7801->7796 7802 4011f9 GetModuleFileNameA 7801->7802 7921 401670 7802->7921 7805 4070fb ctype 4 API calls 7806 401210 7805->7806 7806->7796 7941 4015f3 7806->7941 7809 402263 7808->7809 7810 402422 7809->7810 7811 4022ce 7809->7811 7814 4022ac GetDesktopWindow MessageBoxA 7809->7814 7815 40228e LoadStringA 7809->7815 7837 4010e4 7809->7837 7812 4024d8 7810->7812 7813 40242f 7810->7813 7819 402331 7811->7819 7822 402529 15 API calls 7811->7822 7817 403a9e 168 API calls 7812->7817 8089 404ecd FindResourceA LoadResource LockResource 7813->8089 7814->7811 7814->7837 7815->7814 7833 4024de 7817->7833 7820 402364 7819->7820 7823 402529 15 API calls 7819->7823 7824 402397 7820->7824 7826 402529 15 API calls 7820->7826 7821 404ecd 6 API calls 7825 402479 7821->7825 7822->7819 7823->7820 7828 4023ca 7824->7828 8065 402529 wsprintfA 7824->8065 8095 40598f 7825->8095 7826->7824 7830 402529 15 API calls 7828->7830 7832 4023f5 7830->7832 7831 4024cd DeleteObject 7831->7833 7832->7810 7835 402529 15 API calls 7832->7835 7833->7837 8110 40344c GetStartupInfoA 7833->8110 7835->7810 7836 402487 7836->7831 7838 4070fb HeapFree VirtualFree VirtualFree HeapFree ctype 7836->7838 7837->7687 7837->7694 7838->7836 7840 4049e5 7839->7840 7841 4049de FreeLibrary 7839->7841 7842 404a05 7840->7842 7844 4037b1 4 API calls 7840->7844 7841->7840 7843 404a1c 7842->7843 7845 404a15 GetLongPathNameW 7842->7845 8177 404e9e 7843->8177 7847 4049fa 7844->7847 7845->7843 8160 404ba4 lstrcpyA lstrcatA 7847->8160 7849 404a30 7852 404a40 7849->7852 7853 4070fb ctype 4 API calls 7849->7853 7851 4070fb ctype 4 API calls 7851->7849 7854 404a50 7852->7854 7855 4070fb ctype 4 API calls 7852->7855 7853->7852 7856 404a60 7854->7856 7858 4070fb ctype 4 API calls 7854->7858 7855->7854 7857 404a70 7856->7857 7859 4070fb ctype 4 API calls 7856->7859 7860 404a80 7857->7860 7861 4070fb ctype 4 API calls 7857->7861 7858->7856 7859->7857 7862 404a90 7860->7862 7863 4070fb ctype 4 API calls 7860->7863 7861->7860 7864 404aa0 7862->7864 7866 4070fb ctype 4 API calls 7862->7866 7863->7862 7865 404ab0 7864->7865 7867 4070fb ctype 4 API calls 7864->7867 7868 404ac0 7865->7868 7869 4070fb ctype 4 API calls 7865->7869 7866->7864 7867->7865 7870 404ad0 7868->7870 7871 4070fb ctype 4 API calls 7868->7871 7869->7868 7872 404ae0 7870->7872 7874 4070fb ctype 4 API calls 7870->7874 7871->7870 7873 404af0 7872->7873 7875 4070fb ctype 4 API calls 7872->7875 7876 404b00 7873->7876 7877 4070fb ctype 4 API calls 7873->7877 7874->7872 7875->7873 7878 404b10 7876->7878 7879 4070fb ctype 4 API calls 7876->7879 7877->7876 7880 4070fb ctype 4 API calls 7878->7880 7884 404b20 7878->7884 7879->7878 7880->7884 7881 4070fb ctype 4 API calls 7883 404b30 7881->7883 7882 404b40 7886 404b50 7882->7886 7887 4070fb ctype 4 API calls 7882->7887 7883->7882 7885 4070fb ctype 4 API calls 7883->7885 7884->7881 7884->7883 7885->7882 7888 404b60 7886->7888 7890 4070fb ctype 4 API calls 7886->7890 7887->7886 7889 404b70 7888->7889 7891 4070fb ctype 4 API calls 7888->7891 7892 404b80 7889->7892 7893 4070fb ctype 4 API calls 7889->7893 7890->7888 7891->7889 7894 404b90 7892->7894 7895 4070fb ctype 4 API calls 7892->7895 7893->7892 7896 404ba0 7894->7896 7897 4070fb ctype 4 API calls 7894->7897 7895->7894 7896->7693 7897->7896 7899 401300 GetWindowsDirectoryA lstrlenA 7898->7899 7900 40127b RegQueryValueExA lstrlenA 7898->7900 7901 401417 6 API calls 7899->7901 7945 401417 7900->7945 7903 401321 lstrcatA lstrlenA 7901->7903 7905 401417 6 API calls 7903->7905 7904 4012b8 RegQueryValueExA lstrlenA 7906 401417 6 API calls 7904->7906 7908 40134f GetSystemDirectoryA lstrlenA 7905->7908 7907 4012f0 RegCloseKey 7906->7907 7907->7899 7909 401417 6 API calls 7908->7909 7910 401377 GetTempPathA 7909->7910 7911 40139c 7910->7911 7912 40149e GetFileAttributesA 7911->7912 7913 4013aa 7912->7913 7914 4013cc lstrcpyA lstrcatA lstrlenA 7913->7914 7915 4013af lstrlenA 7913->7915 7916 401417 6 API calls 7914->7916 7917 401417 6 API calls 7915->7917 7918 4013ff 7916->7918 7919 4011d5 LoadLibraryA 7917->7919 7920 401516 4 API calls 7918->7920 7919->7800 7920->7919 7922 401756 12 API calls 7921->7922 7923 401687 7922->7923 7924 401695 GetFileSize 7923->7924 7925 401208 7923->7925 7949 401a0f 7924->7949 7925->7805 7929 4016ba 7962 40180d ReadFile 7929->7962 7932 4016c7 7933 4016d9 7932->7933 7934 40712a 6 API calls 7932->7934 7963 40180d ReadFile 7933->7963 7934->7933 7936 4016e9 7964 401b0f 7936->7964 7939 4070fb ctype 4 API calls 7940 4016ad 7939->7940 7981 401851 CloseHandle 7940->7981 7943 40165d 7941->7943 7944 401600 7941->7944 7942 4075ba 6 API calls 7942->7944 7943->7796 7944->7942 7944->7943 7946 401428 7945->7946 7948 401424 7945->7948 7947 40712a 6 API calls 7946->7947 7947->7948 7948->7904 7950 4016a6 7949->7950 7951 401a29 7949->7951 7950->7940 7961 4017f8 SetFilePointer 7950->7961 7982 40180d ReadFile 7951->7982 7953 401a5e 7983 4017f8 SetFilePointer 7953->7983 7955 401a68 7984 40180d ReadFile 7955->7984 7957 401a77 7985 4017f8 SetFilePointer 7957->7985 7960 401a87 7960->7950 7986 40180d ReadFile 7960->7986 7961->7929 7962->7932 7963->7936 7966 401b29 7964->7966 7965 401701 7965->7939 7965->7940 7966->7965 7967 40712a 6 API calls 7966->7967 7968 401b58 7966->7968 7967->7968 7969 40712a 6 API calls 7968->7969 7975 401bc1 7968->7975 7969->7975 7970 401daf 7970->7975 8005 401feb GetTempFileNameA 7970->8005 8017 402101 7970->8017 8024 402166 7970->8024 7971 401417 6 API calls 7971->7975 7975->7965 7975->7970 7975->7971 7978 40712a 6 API calls 7975->7978 7980 4070fb ctype 4 API calls 7975->7980 7987 402099 7975->7987 7996 401e98 7975->7996 8002 407851 7975->8002 7978->7975 7980->7975 7981->7925 7982->7953 7983->7955 7984->7957 7985->7960 7986->7960 7988 40712a 6 API calls 7987->7988 7989 4020a4 GetTempFileNameA 7988->7989 8032 401f22 GetTempFileNameA 7989->8032 7992 4020d9 MessageBoxA 7993 4020f0 7992->7993 7994 4020f6 7992->7994 7995 4070fb ctype 4 API calls 7993->7995 7994->7975 7995->7994 7999 401ef9 7996->7999 8001 401ea8 7996->8001 7997 401f1f 7997->7975 7999->7997 8000 401f14 lstrcpyA 7999->8000 8000->7999 8001->7999 8042 407960 8001->8042 8050 407649 8002->8050 8006 401f22 21 API calls 8005->8006 8007 402039 8006->8007 8008 402092 8007->8008 8009 401756 12 API calls 8007->8009 8008->7975 8010 402058 8009->8010 8011 40206a 8010->8011 8012 40712a 6 API calls 8010->8012 8063 40180d ReadFile 8011->8063 8012->8011 8014 402078 8064 401851 CloseHandle 8014->8064 8016 40207e DeleteFileA 8016->8008 8018 40712a 6 API calls 8017->8018 8019 40210b lstrcpyA lstrcatA 8018->8019 8020 401f22 21 API calls 8019->8020 8021 402142 8020->8021 8022 402149 LoadLibraryA 8021->8022 8023 40215a 8021->8023 8022->8023 8023->7970 8025 402171 8024->8025 8026 4021c7 8024->8026 8027 402180 GetProcAddress 8025->8027 8028 402191 8025->8028 8026->7975 8027->8026 8027->8028 8029 402196 GetProcAddress 8028->8029 8030 4021ac 8028->8030 8029->8026 8029->8030 8030->8026 8031 4021b1 GetProcAddress 8030->8031 8031->8026 8033 401756 12 API calls 8032->8033 8034 401f75 8033->8034 8035 401fe6 8034->8035 8040 40182f WriteFile 8034->8040 8035->7992 8035->7994 8037 401f8d 8041 401851 CloseHandle 8037->8041 8039 401f93 6 API calls 8039->8035 8040->8037 8041->8039 8044 4079cd 8042->8044 8046 40796f 8042->8046 8043 4079e2 8043->8001 8044->8043 8047 4091fa 6 API calls 8044->8047 8045 407991 8045->8001 8046->8045 8048 40926f 6 API calls 8046->8048 8049 4079de 8047->8049 8048->8045 8049->8001 8052 407661 8050->8052 8051 4091fa 6 API calls 8051->8052 8052->8051 8054 407691 8052->8054 8053 4091fa 6 API calls 8053->8054 8054->8053 8056 4077ba 8054->8056 8057 4094ba 8054->8057 8056->7975 8058 4094e5 8057->8058 8062 4094c8 8057->8062 8059 4091fa 6 API calls 8058->8059 8060 409501 8058->8060 8059->8060 8061 40b794 9 API calls 8060->8061 8060->8062 8061->8062 8062->8054 8063->8014 8064->8016 8066 40144c 2 API calls 8065->8066 8067 40258d 8066->8067 8068 4025c3 8067->8068 8069 402594 lstrlenA 8067->8069 8070 40144c 2 API calls 8068->8070 8071 4025a9 8069->8071 8077 4025a4 lstrcpyA 8069->8077 8072 4025d6 8070->8072 8074 40712a 6 API calls 8071->8074 8075 40260c 8072->8075 8076 4025dd lstrlenA 8072->8076 8074->8077 8080 40266e 8075->8080 8083 40712a 6 API calls 8075->8083 8078 4025f2 8076->8078 8079 4025ed lstrcpyA 8076->8079 8077->8068 8082 40712a 6 API calls 8078->8082 8079->8075 8080->7828 8082->8079 8084 40261a 8083->8084 8085 40144c 2 API calls 8084->8085 8086 402633 8085->8086 8087 402651 wsprintfA 8086->8087 8088 40263e lstrcpyA 8086->8088 8087->8080 8088->8087 8090 402455 LoadImageA 8089->8090 8091 404efd 8089->8091 8090->7821 8091->8090 8092 404f07 LocalAlloc 8091->8092 8092->8090 8094 404f2b 8092->8094 8093 404f59 CreatePalette LocalFree 8093->8090 8094->8093 8094->8094 8096 4059a9 8095->8096 8097 4059eb 8095->8097 8096->8097 8142 405ceb 8096->8142 8097->7836 8099 4059c2 8099->8097 8100 405b28 33 API calls 8099->8100 8101 4059e3 8100->8101 8101->8097 8102 4059ef IsWindow 8101->8102 8103 405a54 8102->8103 8109 405a09 PeekMessageA 8102->8109 8104 405d93 3 API calls 8103->8104 8104->8097 8106 405a20 IsDialogMessageA 8108 405a30 TranslateMessage DispatchMessageA 8106->8108 8106->8109 8107 405a48 IsWindow 8107->8103 8107->8109 8108->8109 8109->8106 8109->8107 8111 4034cc 8110->8111 8112 4036c7 8111->8112 8113 403517 lstrcpyA lstrcpyA 8111->8113 8112->7837 8114 403276 2 API calls 8113->8114 8115 403542 lstrcatA 8114->8115 8116 4014b7 2 API calls 8115->8116 8117 403565 8116->8117 8118 40357a 8117->8118 8119 40356b lstrcpyA 8117->8119 8152 4032a1 lstrlenA 8118->8152 8119->8118 8124 4035e4 lstrcpyA wsprintfA 8126 403636 8124->8126 8127 40361d lstrcatA lstrcatA 8124->8127 8125 403598 ShellExecuteA 8125->8112 8128 4035c8 8125->8128 8129 403657 CreateDialogParamA CreateProcessA 8126->8129 8130 40363e lstrcatA lstrcatA 8126->8130 8127->8126 8131 4037b1 4 API calls 8128->8131 8133 403697 8129->8133 8134 4036cb 8129->8134 8130->8129 8132 4035ce WaitForSingleObject 8131->8132 8132->8128 8135 4035df 8132->8135 8136 4037b1 4 API calls 8133->8136 8139 40144c 2 API calls 8134->8139 8141 4036fe MessageBoxA DestroyWindow 8134->8141 8135->8112 8138 40369d WaitForSingleObject 8136->8138 8138->8133 8140 4036b0 CloseHandle CloseHandle KiUserCallbackDispatcher 8138->8140 8139->8141 8140->8112 8141->8112 8149 405cb2 8142->8149 8144 405cf8 8145 405cb2 2 API calls 8144->8145 8148 405d25 8144->8148 8146 405d17 8145->8146 8147 405cd0 2 API calls 8146->8147 8146->8148 8147->8148 8148->8099 8150 405cb9 GetProcessHeap HeapAlloc 8149->8150 8151 405ccd 8149->8151 8150->8144 8151->8144 8153 4032b9 8152->8153 8154 40374d 8153->8154 8155 40375c 8154->8155 8156 403764 CompareStringA 8155->8156 8157 403592 8155->8157 8156->8157 8158 403783 CompareStringA 8156->8158 8157->8124 8157->8125 8158->8157 8159 403794 CompareStringA 8158->8159 8159->8157 8181 404d4d lstrcpyA 8160->8181 8162 404c09 8163 404c0e 8162->8163 8164 404c2e FindFirstFileA 8162->8164 8165 404c2b DeleteFileA 8162->8165 8163->7842 8166 404cfe lstrcpyA lstrlenA RemoveDirectoryA 8164->8166 8175 404c4e 8164->8175 8165->8164 8166->8163 8167 404d31 8166->8167 8167->8163 8171 404dac 9 API calls 8167->8171 8168 404c9c lstrcpyA lstrcatA DeleteFileA 8170 404cdd FindNextFileA 8168->8170 8173 404cc5 8168->8173 8169 404c60 lstrcpyA lstrcatA lstrcatA 8172 404ba4 10 API calls 8169->8172 8174 404cf5 FindClose 8170->8174 8170->8175 8171->8163 8172->8175 8173->8170 8183 404dac 8173->8183 8174->8166 8175->8168 8175->8169 8175->8170 8178 404ea7 FreeLibrary DeleteFileA 8177->8178 8179 404a21 8177->8179 8178->8179 8179->7849 8179->7851 8182 404d7a 8181->8182 8182->8162 8190 407c60 8183->8190 8186 404e01 GetPrivateProfileSectionA GetShortPathNameA 8188 404e50 lstrcatA lstrcatA lstrcatA lstrcatA WritePrivateProfileSectionA 8186->8188 8189 404e3a WritePrivateProfileStringA 8186->8189 8187 404e97 8187->8173 8188->8187 8189->8187 8191 404db9 MoveFileExA 8190->8191 8191->8186 8191->8187 8378 40bcf9 8379 40bd06 8378->8379 8386 40cafc 8379->8386 8381 40bd20 8382 40cafc 6 API calls 8381->8382 8384 40bd4b 8381->8384 8383 40bd39 8382->8383 8383->8384 8385 4084ed 7 API calls 8383->8385 8385->8384 8389 40cb0f 8386->8389 8387 40cb38 HeapAlloc 8387->8389 8390 40cb63 8387->8390 8388 408906 5 API calls 8388->8389 8389->8387 8389->8388 8389->8390 8390->8381 8517 40c6bc 8518 40c6cb 8517->8518 8519 40c6ee 8518->8519 8520 40c758 IsBadCodePtr 8518->8520 8520->8519 8521 40523e 8522 40525a ctype 2 API calls 8521->8522 8523 405246 8522->8523 8524 407c9d ctype 4 API calls 8523->8524 8525 405253 8523->8525 8524->8525 8526 40283f 8527 40284f 8526->8527 8534 4028e1 8526->8534 8529 402856 8527->8529 8530 402889 GetDlgItem SendMessageA 8527->8530 8528 4028f7 8529->8528 8531 40285d GetParent GetDlgItem IsDlgButtonChecked EnableWindow 8529->8531 8532 4028b5 8530->8532 8533 4028bc 8530->8533 8531->8528 8536 403813 7 API calls 8532->8536 8537 4030d7 9 API calls 8533->8537 8534->8528 8535 40290c PostMessageA PostMessageA 8534->8535 8535->8528 8536->8533 8538 4028cd CheckRadioButton 8537->8538 8538->8528 8539 40293f GetParent 8540 402957 8539->8540 8546 402999 8539->8546 8541 402987 8540->8541 8542 40295e 8540->8542 8544 4030d7 9 API calls 8541->8544 8543 402994 8542->8543 8549 40335e GetDlgItem 8542->8549 8544->8543 8545 4029c1 PostMessageA PostMessageA 8545->8543 8546->8543 8546->8545 8548 402970 GetDlgItem EnableWindow 8548->8543 8550 403371 GetWindowTextA 8549->8550 8551 40339d 8549->8551 8552 40341c 11 API calls 8550->8552 8551->8548 8553 40338e 8552->8553 8553->8548

                      Executed Functions

                      Function 00404BA4 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 131stringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 247 404ba4-404c0c lstrcpyA lstrcatA call 404d4d 250 404c16-404c24 247->250 251 404c0e-404c11 247->251 253 404c26-404c29 250->253 254 404c2e-404c48 FindFirstFileA 250->254 252 404d49-404d4c 251->252 253->254 255 404c2b-404c2c DeleteFileA 253->255 256 404cfe-404d2f lstrcpyA lstrlenA RemoveDirectoryA 254->256 257 404c4e-404c55 254->257 255->254 258 404d31-404d37 256->258 259 404d46 256->259 260 404c57-404c5e 257->260 261 404c9c-404cc3 lstrcpyA lstrcatA DeleteFileA 257->261 258->259 262 404d39-404d45 call 404dac 258->262 259->252 263 404c60-404c9a lstrcpyA lstrcatA * 2 call 404ba4 260->263 264 404cdd-404cef FindNextFileA 260->264 261->264 265 404cc5-404ccb 261->265 262->259 263->264 264->257 270 404cf5-404cf8 FindClose 264->270 268 404cda 265->268 269 404ccd-404cd9 call 404dac 265->269 268->264 269->268 270->256
                      APIs
                      • lstrcpyA.KERNEL32(?,00000007,?,00000000), ref: 00404BEB
                      • lstrcatA.KERNEL32(?,*.*,?,00000000), ref: 00404BFF
                        • Part of subcall function 00404D4D: lstrcpyA.KERNEL32(00000000,pft,74DE83C0,?,?,00404C09,00000007), ref: 00404D67
                      • DeleteFileA.KERNELBASE(02161D00,?,?,00000000), ref: 00404C2C
                      • FindFirstFileA.KERNELBASE(?,00000000,?,?,00000000), ref: 00404C3C
                      • lstrcpyA.KERNEL32(?,00000007,?,?,00000000), ref: 00404C6A
                      • lstrcatA.KERNEL32(?,0000002E,?,?,00000000), ref: 00404C7A
                      • lstrcatA.KERNEL32(?,004141DC,?,?,00000000), ref: 00404C88
                      • FindNextFileA.KERNELBASE(00000007,00000010,?,?,00000000), ref: 00404CE7
                      • FindClose.KERNELBASE(00000007,?,?,00000000), ref: 00404CF8
                      • lstrcpyA.KERNEL32(?,00000007,?,?,00000000), ref: 00404D08
                      • lstrlenA.KERNEL32(?,?,?,00000000), ref: 00404D11
                      • RemoveDirectoryA.KERNELBASE(?,?,?,00000000), ref: 00404D26
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$CloseDeleteDirectoryFirstNextRemovelstrlen
                      • String ID: *.*$.
                      • API String ID: 3886115242-358234090
                      • Opcode ID: 6720fea5c1bb95efd88404b66ef1e248fa9f08ceabee1c8b73982089322c25e3
                      • Instruction ID: 8da87b0a7008ff1cfbad8f5a1927a94a7db0c39f2972e70ab01da4b6d4083d8e
                      • Opcode Fuzzy Hash: 6720fea5c1bb95efd88404b66ef1e248fa9f08ceabee1c8b73982089322c25e3
                      • Instruction Fuzzy Hash: F34140B680011DBADF20DBA4DD48BCE7BBCAF95304F1085B6E649E6090D7B89AD4CF54
                      Function 00405723 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127stringlibraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 425 405723-40578b GetModuleHandleA GetProcAddress 426 4057b4-4057ca 425->426 427 40578d-405790 425->427 429 4057d0-4057d9 426->429 427->426 428 405792-4057b2 lstrcpyA lstrcatA 427->428 428->429 430 405812-405818 429->430 431 4057db-4057e7 429->431 434 405839-40585b GetDiskFreeSpaceA 430->434 435 40581a-405837 call 4058b0 430->435 432 4057e9 431->432 433 4057ef-4057fd GetDiskFreeSpaceExA 431->433 432->433 438 405803-40580c GetLastError 433->438 439 4058a8 433->439 436 405893-405899 434->436 437 40585d-405890 call 40593e * 2 434->437 435->434 443 4058ab-4058af 435->443 436->439 442 40589b-4058a7 call 405967 436->442 437->436 438->430 438->439 439->443 442->439
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,?,00000000,00000000), ref: 00405773
                      • GetProcAddress.KERNEL32(00000000), ref: 0040577A
                      • lstrcpyA.KERNEL32(?,00000000), ref: 0040579A
                      • lstrcatA.KERNEL32(?,004141DC), ref: 004057AC
                      • GetDiskFreeSpaceExA.KERNELBASE(?,?,00000000,00000000), ref: 004057F5
                      • GetLastError.KERNEL32 ref: 00405803
                      • GetDiskFreeSpaceA.KERNEL32(?,00000000,?,00000000,?), ref: 00405850
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: DiskFreeSpace$AddressErrorHandleLastModuleProclstrcatlstrcpy
                      • String ID: GetDiskFreeSpaceExA$\$kernel32.dll
                      • API String ID: 2937180275-1329531721
                      • Opcode ID: f9427c37737056bcf88223dd5419d3c829150c88c5e9a1820bdbe32b01fb25b6
                      • Instruction ID: fe1b638a8fcb217effcc7d3826390cb2ebe59822cc84321a8270707f364db994
                      • Opcode Fuzzy Hash: f9427c37737056bcf88223dd5419d3c829150c88c5e9a1820bdbe32b01fb25b6
                      • Instruction Fuzzy Hash: ED412D7694125CEFDB11DFA4CC459CFBBB9EB18300F1484AAE608E7241D6349B948FA4
                      Function 004014B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNELBASE(00000000,00000000,%spftw%d.pkg,75BF8400), ref: 004014E0
                      • FindClose.KERNELBASE(00000000), ref: 0040150A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: %spftw%d.pkg
                      • API String ID: 2295610775-1047716302
                      • Opcode ID: 48770032858f3c2a50ae75e14253d0cbbaee23f7b123f38547d7c147fabcfb89
                      • Instruction ID: 7152ec987349e8d2b6911eee181f6fd0025c403e26c1f551eaaafe63d9a17fbc
                      • Opcode Fuzzy Hash: 48770032858f3c2a50ae75e14253d0cbbaee23f7b123f38547d7c147fabcfb89
                      • Instruction Fuzzy Hash: EAF09033900134ABCF324A26DC087DA7768AB84725F004665EA19BA2E0D3749E44CAC4
                      Function 00406723 Relevance: 144.2, APIs: 80, Strings: 2, Instructions: 653windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 406723-406744 call 405dfe 3 406746-406748 0->3 4 40674a 0->4 5 40674d-406757 3->5 4->5 6 406c9d-406ca4 5->6 7 40675d 5->7 10 406e43-406e45 6->10 11 406caa-406caf 6->11 8 406763-406767 7->8 9 406c96-406c98 7->9 14 406c73-406c75 8->14 15 40676d-406770 8->15 16 406e4a 9->16 12 406e53 10->12 13 406e47 10->13 17 406cb5-406cb6 11->17 18 406dec-406df5 11->18 28 406e5a-406e5f 12->28 13->16 23 406c7b-406c80 14->23 24 40681f-406822 14->24 26 406c50-406c52 15->26 27 406776-406779 15->27 16->12 25 406e4c-406e4d call 4066b0 16->25 19 406cbc-406cbe 17->19 20 406d4e-406d82 GetDlgItem * 3 17->20 21 406df7-406dfa 18->21 22 406dfc-406e31 LoadStringA 18->22 29 406cc0-406cc1 19->29 30 406d33-406d35 19->30 34 406d84-406d86 20->34 35 406d88-406d8d ShowWindow 20->35 31 406e3a-406e41 SetWindowTextA 21->31 22->12 32 406e33-406e39 22->32 23->24 36 406c86-406c91 23->36 37 406e7a-406e7e 24->37 50 406e52 25->50 26->28 33 406c58-406c60 26->33 39 406bbf-406bc1 27->39 40 40677f-406782 27->40 41 406e61-406e66 28->41 42 406e77 28->42 29->28 43 406cc7-406d2e GetDlgItem * 2 ShowWindow GetDlgItem ShowWindow SetWindowTextA EnableWindow ShowWindow SendMessageA 29->43 30->42 44 406d3b-406d49 call 40613f 30->44 31->12 32->31 33->28 49 406c66-406c68 call 4063a5 33->49 45 406d8f-406da0 KiUserCallbackDispatcher 34->45 35->45 36->24 39->28 48 406bc7-406c00 GetSysColorBrush GetClientRect FillRect DeleteObject 39->48 46 406788-40678d 40->46 47 406aaa-406ab1 40->47 41->42 51 406e68-406e74 41->51 42->37 43->28 44->28 55 406da2-406da4 45->55 56 406da6-406dad ShowWindow 45->56 58 406793-406794 46->58 59 406906-40691f call 406194 call 40611c 46->59 47->28 54 406ab7-406bba SendMessageA GetWindowTextA GetObjectA CreateFontIndirectA SelectObject SetBkMode GetSysColor SetTextColor call 407080 TextOutA SetBkMode GetSysColor SetTextColor call 407080 TextOutA SetBkMode SetTextColor SelectObject DeleteObject 47->54 60 406c02-406c07 48->60 61 406c09 48->61 69 406c6d-406c6e 49->69 50->12 51->42 54->28 65 406daf-406dba KiUserCallbackDispatcher 55->65 56->65 58->28 66 40679a-4067b7 GetWindowLongA 58->66 91 406921-406923 59->91 92 406929-406933 59->92 67 406c0e-406c4b GetDlgItem GetWindowRect ScreenToClient CreateSolidBrush FillRect DeleteObject 60->67 61->67 72 406dbc-406dc8 ShowWindow * 2 65->72 73 406dcd-406dea ShowWindow * 2 EnableWindow 65->73 74 4068d0-4068f1 SendMessageA 66->74 75 4067bd-4067c0 66->75 67->12 69->50 72->12 73->12 77 4068f3-4068fe call 405c68 74->77 78 4068ff-406901 74->78 79 4068b4-4068cb SendMessageA 75->79 80 4067c6-4067cb 75->80 77->78 78->37 79->24 82 4067d1-4067d2 80->82 83 40686f-40688a SendMessageA 80->83 89 4067d4-4067d5 82->89 90 406827-406842 SendMessageA 82->90 83->24 87 40688c-406890 83->87 94 406892-40689f call 406172 87->94 95 40684a-406855 call 40613f 87->95 89->28 93 4067db-4067f6 SendMessageA 89->93 90->24 98 406844-406848 90->98 91->92 96 406935-406951 GetDlgItem ShowWindow GetDlgItem ShowWindow 92->96 97 406957-40695b 92->97 100 4067f8-406800 call 405c68 93->100 101 406809-406814 IsWindow 93->101 94->24 114 4068a5-4068af call 40611c 94->114 115 406805-406807 95->115 96->97 102 406973-406977 97->102 103 40695d-40696d GetWindowLongA SetWindowLongA 97->103 98->95 104 406857-40686d call 406172 call 40611c 98->104 100->115 101->24 108 406816-406819 SetFocus 101->108 109 406986-406a6c MapDialogRect GetDlgItem GetWindowRect ScreenToClient SetWindowPos GetDlgItem GetWindowRect ScreenToClient SetWindowPos GetDlgItem GetWindowRect ScreenToClient SetWindowPos GetDlgItem ShowWindow 102->109 110 406979-406980 102->110 103->102 104->24 108->24 116 406a6f-406a88 call 405be5 ShowWindow 109->116 110->109 110->116 114->115 115->24 123 406a98-406aa5 call 40611c 116->123 124 406a8a-406a95 116->124 123->37 124->123
                      APIs
                      • GetWindowLongA.USER32(?,000000F4), ref: 004067A8
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 004067EC
                      • IsWindow.USER32(00000000), ref: 0040680C
                      • SetFocus.USER32(00000000), ref: 00406819
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 00406838
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 00406880
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 004068C5
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 004068E7
                        • Part of subcall function 00406194: GetDC.USER32(?), ref: 004061CA
                        • Part of subcall function 00406194: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004061E8
                        • Part of subcall function 00406194: GetObjectA.GDI32(00000000,0000003C,?), ref: 004061F8
                        • Part of subcall function 00406194: CreateFontIndirectA.GDI32(?), ref: 00406209
                        • Part of subcall function 00406194: SelectObject.GDI32(?,00000000), ref: 00406219
                        • Part of subcall function 00406194: GetDlgItem.USER32(?,000003EE), ref: 00406232
                        • Part of subcall function 00406194: GetWindowTextA.USER32(00000000,?,?), ref: 00406235
                        • Part of subcall function 00406194: GetTextExtentPointA.GDI32(?,?,00000000,?), ref: 00406251
                        • Part of subcall function 00406194: SelectObject.GDI32(?,?), ref: 0040625D
                        • Part of subcall function 00406194: DeleteObject.GDI32(00000000), ref: 00406260
                        • Part of subcall function 00406194: ReleaseDC.USER32(?,?), ref: 0040626D
                        • Part of subcall function 00406194: GetDlgItem.USER32(?,000003ED), ref: 0040627D
                        • Part of subcall function 00406194: GetWindowRect.USER32(00000000), ref: 00406280
                        • Part of subcall function 00406194: ScreenToClient.USER32(?,?), ref: 0040628B
                      • GetDlgItem.USER32(?,00003024), ref: 0040693D
                      • ShowWindow.USER32(00000000), ref: 00406940
                      • GetDlgItem.USER32(?,00003025), ref: 0040694E
                      • ShowWindow.USER32(00000000), ref: 00406951
                      • GetWindowLongA.USER32(?,000000EC), ref: 00406960
                      • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0040696D
                      • MapDialogRect.USER32(?,00000039), ref: 0040699A
                      • GetDlgItem.USER32(?,00003023), ref: 004069AC
                      • GetWindowRect.USER32(00000000,00000039), ref: 004069BC
                      • ScreenToClient.USER32(?,00000039), ref: 004069C9
                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000205), ref: 004069E2
                      • GetDlgItem.USER32(?,00003024), ref: 004069F0
                      • GetWindowRect.USER32(00000000,00000039), ref: 004069FA
                      • ScreenToClient.USER32(?,00000039), ref: 00406A03
                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000205), ref: 00406A1C
                      • GetDlgItem.USER32(?,00000002), ref: 00406A27
                      • GetWindowRect.USER32(00000000,00000039), ref: 00406A31
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSend$Rect$Object$ClientLongScreen$SelectShowText$CreateDeleteDialogExtentFocusFontIndirectPointRelease
                      • String ID: $9
                      • API String ID: 1961577443-1776416348
                      • Opcode ID: af71cbbc95e33168e2879dc02f25677f8b58f77f0099fc4f71adbf9822970d53
                      • Instruction ID: f566ca8cda8d9c5b354ca2a1fe6f676fd49a582408d40181e619da093ba4f0fd
                      • Opcode Fuzzy Hash: af71cbbc95e33168e2879dc02f25677f8b58f77f0099fc4f71adbf9822970d53
                      • Instruction Fuzzy Hash: C4228E71900209BBEB119F64DD49FAF7B79EF04310F118166FA06F61E0D7B89A61CB68
                      Function 004063A5 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 256windowstringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • BeginPaint.USER32(00000000,00000000,?,?,?), ref: 004063E1
                      • SetTextColor.GDI32(00000000,00000000), ref: 004063EC
                      • SetBkColor.GDI32(00000000,00FFFFFF), ref: 004063FB
                      • SetBkMode.GDI32(00000000,00000001), ref: 00406407
                      • MapDialogRect.USER32(?,0000000E), ref: 00406432
                        • Part of subcall function 004062CA: MapDialogRect.USER32(?,00000007), ref: 00406307
                        • Part of subcall function 004062CA: GetClientRect.USER32(?,00000000), ref: 00406312
                        • Part of subcall function 004062CA: GetDlgItem.USER32(?,000003EC), ref: 00406322
                        • Part of subcall function 004062CA: GetWindowRect.USER32(00000000), ref: 00406329
                        • Part of subcall function 004062CA: ScreenToClient.USER32(?,00000000), ref: 0040633A
                        • Part of subcall function 004062CA: ScreenToClient.USER32(?,?), ref: 00406341
                        • Part of subcall function 004062CA: GetObjectA.GDI32(?,00000018,00000000), ref: 00406375
                      • CreateCompatibleDC.GDI32(00000000), ref: 00406456
                      • SelectObject.GDI32(00000000,?), ref: 00406463
                      • SelectPalette.GDI32(00000000,?,00000000), ref: 0040647D
                      • RealizePalette.GDI32(00000000), ref: 00406483
                      • SelectPalette.GDI32(?,?,00000000), ref: 00406491
                      • RealizePalette.GDI32(?), ref: 00406499
                      • BitBlt.GDI32(00000000,?,ml@,00000000,?,?,00000000,00000000,00CC0020), ref: 004064B8
                      • SelectPalette.GDI32(00000000,00000000,00000000), ref: 004064CF
                      • SelectPalette.GDI32(?,?,00000000), ref: 004064D9
                      • SelectObject.GDI32(?,?), ref: 004064E1
                      • DeleteDC.GDI32(?), ref: 004064EA
                      • lstrcpynA.KERNEL32(00000000,?,000003FF,?,?,?), ref: 00406554
                      • LoadStringA.USER32(?,?,00000000,000003FF), ref: 0040656A
                      • SelectObject.GDI32(00000000), ref: 0040657D
                      • lstrlenA.KERNEL32(00000000,?,?,?), ref: 00406589
                      • TextOutA.GDI32(00000000,0000000E,00000007,00000000,00000000), ref: 0040659E
                      • SelectObject.GDI32(00000000,?), ref: 004065A8
                      • lstrcpynA.KERNEL32(00000000,?,000003FF,?,?,?), ref: 004065F4
                      • LoadStringA.USER32(?,?,00000000,000003FF), ref: 0040660A
                      • SetTextColor.GDI32(00000000,00000000), ref: 00406614
                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00406620
                      • SelectObject.GDI32(00000000,00000000), ref: 0040662E
                      • lstrlenA.KERNEL32(00000000,00000000,00000110,?,?,?), ref: 00406664
                      • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00406673
                      • SelectObject.GDI32(00000000,00000000), ref: 0040667B
                      • SetTextColor.GDI32(00000000,?), ref: 00406681
                      • SetBkColor.GDI32(00000000,?), ref: 0040668B
                      • SetBkMode.GDI32(00000000,?), ref: 00406695
                      • EndPaint.USER32(?,00000000,?,?,?), ref: 004066A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Select$Object$Palette$ColorText$Rect$Client$DialogLoadModePaintRealizeScreenStringlstrcpynlstrlen$BeginCompatibleCreateDeleteDrawItemMessageSendWindow
                      • String ID: ml@
                      • API String ID: 2495339399-14345306
                      • Opcode ID: 0a935839da75d26385d2324fa5347c5de9eccd58fba9fbb379b11f4beb13a0d6
                      • Instruction ID: e666f25def7f55a8c691980ecf5daee21d35a97bcba1cac0a7eeb4b1add5dce5
                      • Opcode Fuzzy Hash: 0a935839da75d26385d2324fa5347c5de9eccd58fba9fbb379b11f4beb13a0d6
                      • Instruction Fuzzy Hash: 4BA107B2900208BFDF119FA4DD48BEEBBB9FB48300F108565F605E6160DBB59A55CF68
                      Function 0040344C Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 247stringsynchronizationprocessCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 151 40344c-4034ca GetStartupInfoA 152 4034f9-4034ff 151->152 153 4034cc-4034d2 151->153 156 403505-40350c 152->156 157 4036c7-4036c9 152->157 154 4034f3 153->154 155 4034d4-4034d5 153->155 154->152 160 4034d7-4034d8 155->160 161 4034eb-4034f1 155->161 158 403511 156->158 159 40350e-40350f 156->159 162 40372d-403731 157->162 163 403517-403569 lstrcpyA * 2 call 403276 lstrcatA call 4014b7 158->163 159->163 164 4034e3-4034e9 160->164 165 4034da-4034db 160->165 161->152 171 40357a-403596 call 4032a1 call 40374d 163->171 172 40356b-403578 lstrcpyA 163->172 164->152 165->152 167 4034dd-4034e1 165->167 167->152 177 4035e4-40361b lstrcpyA wsprintfA 171->177 178 403598-4035c2 ShellExecuteA 171->178 172->171 179 403636-40363c 177->179 180 40361d-403634 lstrcatA * 2 177->180 181 4035c8-4035dd call 4037b1 WaitForSingleObject 178->181 182 40372a-40372c 178->182 183 403657-403695 CreateDialogParamA CreateProcessA 179->183 184 40363e-403655 lstrcatA * 2 179->184 180->179 189 4035df 181->189 182->162 187 403697-4036ae call 4037b1 WaitForSingleObject 183->187 188 4036cb-4036e7 183->188 184->183 196 4036b0-4036c1 CloseHandle * 2 KiUserCallbackDispatcher 187->196 191 4036e9-4036f4 188->191 192 40370f-403710 188->192 189->157 195 4036f9-403703 call 40144c 191->195 193 403715-403724 MessageBoxA DestroyWindow 192->193 193->182 195->192 198 403705-40370d 195->198 196->157 198->193
                      APIs
                      • GetStartupInfoA.KERNEL32(00000044), ref: 004034BC
                      • lstrcpyA.KERNEL32(?), ref: 00403524
                      • lstrcpyA.KERNEL32(?,?), ref: 00403534
                      • lstrcatA.KERNEL32(?), ref: 00403556
                      • lstrcpyA.KERNEL32(?), ref: 00403578
                      • ShellExecuteA.SHELL32(00000000,open,?,?,?), ref: 004035B7
                      • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004035D2
                      • lstrcpyA.KERNEL32(?,?), ref: 004035F2
                      • wsprintfA.USER32 ref: 00403607
                      • lstrcatA.KERNEL32(?,00414198), ref: 00403625
                      • lstrcatA.KERNEL32(?), ref: 00403634
                      • lstrcatA.KERNEL32(?,00414198), ref: 00403646
                      • lstrcatA.KERNEL32(?), ref: 00403655
                      • CreateDialogParamA.USER32(000003F1,00000000,00403732,00000000), ref: 00403669
                      • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0040368D
                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 004036A3
                      • CloseHandle.KERNEL32(?), ref: 004036B9
                      • CloseHandle.KERNEL32(0040251F), ref: 004036BE
                      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 004036C1
                      • MessageBoxA.USER32(00000000,?,Unable to Execute!,00000000), ref: 0040371D
                      • DestroyWindow.USER32(00000000), ref: 00403724
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcat$lstrcpy$CloseCreateHandleObjectSingleWait$CallbackDestroyDialogDispatcherExecuteInfoMessageParamProcessShellStartupUserWindowwsprintf
                      • String ID: "%s"$D$Strings$Unable to Execute!$open
                      • API String ID: 3633723840-3339623769
                      • Opcode ID: 610e086764057eb780c0b4217d3e3e39592307aac96c3160982a658a3e4e9613
                      • Instruction ID: ccea050495ceeb13c538f814d2e17a6478984536604d8e13866f855fe4647e36
                      • Opcode Fuzzy Hash: 610e086764057eb780c0b4217d3e3e39592307aac96c3160982a658a3e4e9613
                      • Instruction Fuzzy Hash: 478142B2800659FEDB219BE4DC89EDE7B7CEB48305F1044B6E605F6290DB785F848B58
                      Function 00401240 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 135stringregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00000000,00020019,004011D5,?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401262
                      • RegQueryValueExA.KERNELBASE(004011D5,ProgramFilesDir,00000000,?,?,?,00000104,00000000), ref: 004012A2
                      • lstrlenA.KERNEL32(?,00000104,00000000), ref: 004012AA
                      • RegQueryValueExA.KERNELBASE(004011D5,CommonFilesDir,00000000,00000001,?,00000104,00000000), ref: 004012DA
                      • lstrlenA.KERNEL32 ref: 004012E2
                      • RegCloseKey.KERNELBASE(004011D5,?,004011D5,004084C5,00000000), ref: 004012FA
                      • GetWindowsDirectoryA.KERNEL32(00000104,?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401307
                      • lstrlenA.KERNEL32(?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401313
                      • lstrcatA.KERNEL32(\SYSTEM32,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401339
                      • lstrlenA.KERNEL32(?,?,004011D5,004084C5,00000000), ref: 00401341
                      • GetSystemDirectoryA.KERNEL32(00000104), ref: 0040135D
                      • lstrlenA.KERNEL32(?,004011D5,004084C5,00000000), ref: 00401369
                      • GetTempPathA.KERNEL32(00000104,004011D5,004084C5,00000000), ref: 00401385
                      • lstrlenA.KERNEL32 ref: 004013B5
                      • lstrcpyA.KERNEL32 ref: 004013D8
                      • lstrcatA.KERNEL32(\TEMP), ref: 004013E9
                      • lstrlenA.KERNEL32 ref: 004013F1
                        • Part of subcall function 00401516: CreateDirectoryA.KERNELBASE(?,00000000,74DF0440), ref: 0040152B
                        • Part of subcall function 00401516: GetLastError.KERNEL32(00000104), ref: 00401532
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrlen$Directory$QueryValuelstrcat$CloseCreateErrorLastOpenPathSystemTempWindowslstrcpy
                      • String ID: CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$\SYSTEM32$\TEMP
                      • API String ID: 2033489415-1425596482
                      • Opcode ID: 484ea35a3838f45e862c863326509a13619371f69a3906ca624496b220c84a3a
                      • Instruction ID: b8a1318e7af564e0b0ded9625fca370817e24f0f7eb51550ee6589bcf45768b5
                      • Opcode Fuzzy Hash: 484ea35a3838f45e862c863326509a13619371f69a3906ca624496b220c84a3a
                      • Instruction Fuzzy Hash: 2741E771C04604FEEB12AFA1ED45EEA3F79EB85315B10907AFA00A11B1DB760DA1DB1C
                      Function 00405F7B Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 146windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetWindowLongA.USER32(?,000000F4), ref: 00405FA3
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 00405FC0
                      • ShowWindow.USER32(?,00000000), ref: 00405FD7
                      • GetWindowLongA.USER32(00000000,000000F0), ref: 0040601E
                      • SetWindowLongA.USER32(0000013D,000000F0,00000000), ref: 00406030
                      • GetWindowLongA.USER32(0000013D,000000EC), ref: 0040603B
                      • SetWindowLongA.USER32(0000013D,000000EC,00000000), ref: 00406047
                      • KiUserCallbackDispatcher.NTDLL(0000013D,?), ref: 00406051
                      • MapDialogRect.USER32(?,00000000), ref: 0040607B
                      • SetWindowPos.USER32(0000013D,?,00000000,?,0000013D,000000C1,00000214,?,?,?,?,?,?,?,?,00406D44), ref: 00406096
                      • SendMessageA.USER32(?,0000004E,00000000,?), ref: 004060AD
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004060D9
                      • ShowWindow.USER32(?,00000005), ref: 004060E3
                      • SetActiveWindow.USER32(?), ref: 004060EA
                      • GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 004060FA
                      • GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 00406103
                      • SetFocus.USER32(00000000), ref: 0040610E
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Long$ItemMessageNextRectSendShow$ActiveCallbackDialogDispatcherFocusInvalidateUser
                      • String ID: ,
                      • API String ID: 2573844063-3772416878
                      • Opcode ID: a88427ff19a4bb7c65b25fb01d94733f1f619c9fc4489373d61c9a729225c276
                      • Instruction ID: c810a3a7a2c82b263e177445ac1bd3eea7bfc2f35810992e2b98fb3a0d8f5966
                      • Opcode Fuzzy Hash: a88427ff19a4bb7c65b25fb01d94733f1f619c9fc4489373d61c9a729225c276
                      • Instruction Fuzzy Hash: 34516B7180020ABFEF109F94DD44EEE7BB9EB08350F208265F515BA1E1D7B59961CF68
                      Function 00402B2F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 142windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetParent.USER32(?), ref: 00402B96
                      • PostMessageA.USER32(00000000), ref: 00402B9D
                      • GetParent.USER32(?), ref: 00402BB4
                      • SendMessageA.USER32(00000000), ref: 00402BBB
                      • SetDlgItemTextA.USER32(?,0000007D), ref: 00402C2F
                      • GetDlgItemTextA.USER32(?,0000007C,?,00000104), ref: 00402C3E
                      • wsprintfA.USER32 ref: 00402C58
                      • SetDlgItemTextA.USER32(?,0000007C,?), ref: 00402C6D
                      • SendDlgItemMessageA.USER32(?,000003F0,00000404,00000001,00000000), ref: 00402C7F
                      • GetParent.USER32(?), ref: 00402CAB
                      • PostMessageA.USER32(00000000), ref: 00402CB8
                      • PostMessageA.USER32(?,0000040A,00000000,00000000), ref: 00402CC4
                      • GetParent.USER32(?), ref: 00402CD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$ItemParent$PostText$Send$wsprintf
                      • String ID: Dialog1005$N
                      • API String ID: 4211404388-2088829370
                      • Opcode ID: cbd97426547241795dee63727df90208124d8fd3c4aceccb4521902cbf0c1f8f
                      • Instruction ID: 90c4454a4d70a67bff7f5c662d049eaa3f31fc0979748585f6adb19de3234dba
                      • Opcode Fuzzy Hash: cbd97426547241795dee63727df90208124d8fd3c4aceccb4521902cbf0c1f8f
                      • Instruction Fuzzy Hash: AE41AEB2944208BFEB115F64DE89FDE3B28EB04754F008076FB05BA1E0C7F85A919B59
                      Function 00405E4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetDC.USER32(?), ref: 00405E85
                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00405E94
                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 00405EA1
                        • Part of subcall function 00405A65: GetModuleHandleA.KERNEL32(00000000,?,?,00000032,?,?,?,00000000), ref: 00405AB9
                        • Part of subcall function 00405A65: LoadStringA.USER32(00000000,?,?,?), ref: 00405AC0
                        • Part of subcall function 00405A65: lstrcpyA.KERNEL32(00000008,00000001,?,?,?,?,00000000), ref: 00405B10
                      • GetSystemDefaultLCID.KERNEL32 ref: 00405ED6
                        • Part of subcall function 0040557F: GetDC.USER32(00000000), ref: 004055A9
                        • Part of subcall function 0040557F: lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055C7
                        • Part of subcall function 0040557F: lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055D2
                        • Part of subcall function 0040557F: EnumFontFamiliesExA.GDI32(00405B9D,?,0040566B,?,00000000), ref: 004055E5
                        • Part of subcall function 0040557F: lstrcpyA.KERNEL32(?,System,?,?,00000000), ref: 00405642
                        • Part of subcall function 0040557F: ReleaseDC.USER32(00000000,00405B9D), ref: 0040564C
                        • Part of subcall function 0040557F: lstrcmpiA.KERNEL32(SYSTEM,?), ref: 0040565A
                      • GetDeviceCaps.GDI32(?,0000005A), ref: 00405F0B
                      • MulDiv.KERNEL32(00000008,00000000), ref: 00405F19
                      • GetSystemDefaultLCID.KERNEL32 ref: 00405F20
                      • CreateFontIndirectA.GDI32(?), ref: 00405F31
                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 00405F4C
                      • GetDeviceCaps.GDI32(?,0000005A), ref: 00405F59
                      • MulDiv.KERNEL32(?,00000000), ref: 00405F5F
                      • ReleaseDC.USER32(00000008,?), ref: 00405F6D
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CapsDefaultDeviceFontObjectReleaseSystemlstrcpylstrcpyn$CreateEnumFamiliesHandleIndirectLoadMessageModuleSendStringlstrcmpi
                      • String ID: RA
                      • API String ID: 1623091726-1835522636
                      • Opcode ID: 375fca667be939cecacc089df5ed3d8ffc98228ee59f732c3f7b74c184ab2bc5
                      • Instruction ID: 3f0e02d31c7ef7f03ddc858a155477038c6742ad89a021fc03ee3a6a4490011e
                      • Opcode Fuzzy Hash: 375fca667be939cecacc089df5ed3d8ffc98228ee59f732c3f7b74c184ab2bc5
                      • Instruction Fuzzy Hash: 02414DB290020DEFEF11DFA4DD45ADE7BB8EB08300F104566F605E62A1DBB4AA55CF64
                      Function 00406E81 Relevance: 21.2, APIs: 14, Instructions: 167stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 312 406e81-406eb5 GetParent call 405dfe call 405e15 317 407057-407059 312->317 318 406ebb-406ebe 312->318 319 407070-407072 317->319 320 40705b-407060 317->320 321 406ec0-406ec5 318->321 322 406f3b-406f3d 318->322 323 407073-407077 319->323 326 407062-40706a 320->326 327 40706d 320->327 328 406ec7-406ecc 321->328 329 406f2a-406f36 321->329 324 406f43-406f52 322->324 325 40703a-40703c 322->325 324->325 332 406f58-406f74 324->332 330 407052-407055 325->330 331 40703e-407043 325->331 326->327 327->319 328->325 333 406ed2-406ed7 328->333 329->325 330->323 331->330 335 407045-40704c 331->335 336 406f76-406f89 GetWindowTextA 332->336 337 406f8b-406f98 332->337 333->325 334 406edd-406edf 333->334 334->330 338 406ee5-406ee9 334->338 351 40704d call 4029f5 335->351 352 40704d call 402b2f 335->352 339 406fbb-406fcf SetWindowTextA 336->339 340 406faa-406fb5 LoadStringA 337->340 341 406f9a-406fa8 lstrcpynA 337->341 338->325 344 406eef-406ef4 338->344 342 406ff0-40700b GetDlgItem ShowWindow 339->342 343 406fd1-406fee GetDlgItem ShowWindow 339->343 340->339 341->339 346 40700d-407037 GetDlgItem ShowWindow GetDlgItem KiUserCallbackDispatcher 342->346 343->346 347 406ef6-406f02 344->347 348 406f08-406f0f 344->348 345 40704f 345->330 346->325 347->323 347->348 348->323 349 406f15-406f25 CreateSolidBrush 348->349 349->323 351->345 352->345
                      APIs
                      • GetParent.USER32(00000000), ref: 00406E95
                      • CreateSolidBrush.GDI32(00FFFFFF), ref: 00406F1A
                      • GetWindowTextA.USER32(00000000,00000000,000000FF), ref: 00406F83
                      • lstrcpynA.KERNEL32(00000000,?,000000FF), ref: 00406FA2
                      • LoadStringA.USER32(FFFFFF38,?,00000000,000000FF), ref: 00406FB5
                      • SetWindowTextA.USER32(?,00000000), ref: 00406FC5
                      • GetDlgItem.USER32(00000002,000003EE), ref: 00406FE1
                      • ShowWindow.USER32(00000000), ref: 00406FEA
                      • GetDlgItem.USER32(00000002,000003EE), ref: 00407000
                      • ShowWindow.USER32(00000000), ref: 00407009
                      • GetDlgItem.USER32(00000002,000003EC), ref: 00407015
                      • ShowWindow.USER32(00000000), ref: 00407018
                      • GetDlgItem.USER32(00000002,00000009), ref: 00407028
                      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040702B
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Item$Show$Text$BrushCallbackCreateDispatcherLoadParentSolidStringUserlstrcpyn
                      • String ID:
                      • API String ID: 313981350-0
                      • Opcode ID: b11268bb424ce1df5ebee578d927bd48d028689b9858807a05c6a9323baf3545
                      • Instruction ID: 2872b55d1f692e11e1875d4323858d8e184a8704f431eb1a3afcc9c9b00dfc91
                      • Opcode Fuzzy Hash: b11268bb424ce1df5ebee578d927bd48d028689b9858807a05c6a9323baf3545
                      • Instruction Fuzzy Hash: 8151A131A04205ABEF219F94DD85FAF7B69EF04300F1481B6F901A62D1D7B8AD51CB5A
                      Function 0040557F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 90stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 353 40557f-4055ee GetDC lstrcpynA * 2 EnumFontFamiliesExA 354 4055f0-4055f4 353->354 355 4055f6-40561a GetStockObject 353->355 356 40563f-40566a lstrcpyA ReleaseDC lstrcmpiA 354->356 357 405624-405636 GetObjectA 355->357 358 40561c-405622 GetStockObject 355->358 359 40563e 357->359 360 405638 357->360 358->357 358->359 359->356 360->359
                      APIs
                      • GetDC.USER32(00000000), ref: 004055A9
                      • lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055C7
                      • lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055D2
                      • EnumFontFamiliesExA.GDI32(00405B9D,?,0040566B,?,00000000), ref: 004055E5
                      • GetStockObject.GDI32(00000011), ref: 00405616
                      • GetStockObject.GDI32(0000000D), ref: 0040561E
                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 0040562E
                      • lstrcpyA.KERNEL32(?,System,?,?,00000000), ref: 00405642
                      • ReleaseDC.USER32(00000000,00405B9D), ref: 0040564C
                      • lstrcmpiA.KERNEL32(SYSTEM,?), ref: 0040565A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Object$Stocklstrcpyn$EnumFamiliesFontReleaselstrcmpilstrcpy
                      • String ID: SYSTEM$System
                      • API String ID: 2556058953-688511314
                      • Opcode ID: 49b4ed2404de54e2a8acf6bc63fb5b8adc6f8446b0a38dd1eed79f9a336c92e6
                      • Instruction ID: 07c731dcb79809f80e933624f03f581b9ace529438ec9e0843598b74fcfdfe54
                      • Opcode Fuzzy Hash: 49b4ed2404de54e2a8acf6bc63fb5b8adc6f8446b0a38dd1eed79f9a336c92e6
                      • Instruction Fuzzy Hash: 65318932A00248ABDB109FE0DD44EDEBF79EB08300F104576F605E6190DAB19A59CB64
                      Function 00403C16 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 200filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 361 403c16-403cbb GetTempFileNameA DeleteFileA call 403eb7 call 401516 lstrcatA call 40435e 368 403cc4-403cf2 GetModuleFileNameA call 401756 361->368 369 403cbd-403cbf 361->369 374 403cf4-403cf6 368->374 375 403cfb-403d1d call 40712a call 4017f8 368->375 370 403eb4-403eb5 369->370 373 403e64-403e68 370->373 374->370 380 403d3f-403d47 375->380 381 403d1f-403d39 SendDlgItemMessageA 375->381 382 403e4b-403e57 call 401851 380->382 383 403d4d-403d8b wsprintfA call 401756 380->383 381->380 390 403e62 382->390 391 403e59-403e61 call 4070fb 382->391 388 403d91-403da6 383->388 389 403e69-403e82 DeleteFileA call 401851 383->389 392 403e06-403e15 call 401851 388->392 393 403da8-403dae 388->393 401 403e84-403e8c call 4070fb 389->401 402 403e8d-403e8f 389->402 390->373 391->390 405 403e24-403e2b call 40507f 392->405 406 403e17-403e22 392->406 393->392 397 403db0-403dba 393->397 403 403dbc 397->403 404 403dbf-403e04 call 40180d call 40182f call 4037b1 SendDlgItemMessageA 397->404 401->402 402->370 403->404 404->392 404->393 413 403e30-403e3a 405->413 406->405 409 403e91-403e9e 406->409 414 403ea0-403ea8 call 4070fb 409->414 415 403ea9-403eb2 call 401851 409->415 413->409 417 403e3c-403e45 413->417 414->415 415->370 417->382 417->383
                      APIs
                      • GetTempFileNameA.KERNELBASE(pftw,00000000,?,00000000,00000000), ref: 00403C62
                      • DeleteFileA.KERNELBASE ref: 00403C6E
                        • Part of subcall function 00401516: CreateDirectoryA.KERNELBASE(?,00000000,74DF0440), ref: 0040152B
                        • Part of subcall function 00401516: GetLastError.KERNEL32(00000104), ref: 00401532
                      • lstrcatA.KERNEL32(004141DC), ref: 00403C9C
                        • Part of subcall function 0040435E: LoadStringA.USER32(0000013A,00000000,00000104), ref: 0040443A
                        • Part of subcall function 0040435E: LoadStringA.USER32(00000144,00000000,00000104), ref: 00404466
                        • Part of subcall function 0040435E: wsprintfA.USER32 ref: 00404495
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403CD1
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$LoadNameString$CreateDeleteDirectoryErrorLastModuleTemplstrcatwsprintf
                      • String ID: ;@$%spftw%d.pkg$pftw
                      • API String ID: 2331854316-3826334059
                      • Opcode ID: 94e0f6f4a58d888728c1c5ee562db3479d3c3ff163ab7328aecc04b4a428a004
                      • Instruction ID: 12e313f2436abc2c223298fa10dd69e28fa37dc7b24254fc1f0ea3828e4c6c80
                      • Opcode Fuzzy Hash: 94e0f6f4a58d888728c1c5ee562db3479d3c3ff163ab7328aecc04b4a428a004
                      • Instruction Fuzzy Hash: 0F717A72D00109FBDF12AFA4DC46AEEBB79FB48305F1081BAE600B61E1D7755A509F98
                      Function 00402529 Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 129stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 450 402529-402592 wsprintfA call 40144c 453 4025c3-4025db call 40144c 450->453 454 402594-4025a2 lstrlenA 450->454 461 40260c-402612 453->461 462 4025dd-4025eb lstrlenA 453->462 456 4025a4-4025a7 454->456 457 4025a9-4025b0 call 40712a 454->457 459 4025b3-4025bd lstrcpyA 456->459 457->459 459->453 466 402614-40262e call 40712a call 40144c 461->466 467 40266e-4026a8 461->467 464 4025f2-4025f9 call 40712a 462->464 465 4025ed-4025f0 462->465 468 4025fc-402606 lstrcpyA 464->468 465->468 474 402633-40263c 466->474 468->461 475 402651-40266b wsprintfA 474->475 476 40263e-40264b lstrcpyA 474->476 475->467 476->475
                      APIs
                      • wsprintfA.USER32 ref: 00402574
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      • lstrlenA.KERNEL32(?), ref: 0040259B
                      • lstrcpyA.KERNEL32(?,?), ref: 004025BD
                      • lstrlenA.KERNEL32(?), ref: 004025E4
                      • lstrcpyA.KERNEL32(?,?), ref: 00402606
                      • lstrcpyA.KERNEL32(?), ref: 0040264B
                      • wsprintfA.USER32 ref: 00402669
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcpywsprintf$lstrlen$PrivateProfileString
                      • String ID: %s - %s$/+@$Dialog%d$WizardButtons
                      • API String ID: 923603523-772029591
                      • Opcode ID: 881c71223a75bef453cc292f9632967a0bd85ddcf4a4becfe4aac514c1a45f7e
                      • Instruction ID: 96c314ecf7e564ef5820de7ade4bb3ee155de013ef7a89ca75c380db143c8e31
                      • Opcode Fuzzy Hash: 881c71223a75bef453cc292f9632967a0bd85ddcf4a4becfe4aac514c1a45f7e
                      • Instruction Fuzzy Hash: 68414DB1900209FFCB05DF94DD84DEA7BB8FB48304F0480BAE608E32A1E6749A55CB58
                      Function 00401F22 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetTempFileNameA.KERNELBASE(ext,00000000,?,?,0000000A,00000000), ref: 00401F59
                        • Part of subcall function 00401756: lstrlenA.KERNEL32(00000100,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104,00000000,00401208,00000000), ref: 0040179B
                        • Part of subcall function 00401756: lstrcpyA.KERNEL32(00000103,00000104), ref: 004017C0
                        • Part of subcall function 00401756: CreateFileA.KERNELBASE(00000100,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104), ref: 004017D4
                        • Part of subcall function 00401756: MessageBoxA.USER32(00000000,00000000,00000100,00000000), ref: 004017EC
                        • Part of subcall function 0040182F: WriteFile.KERNELBASE(?,00000000,00401F8D,?,00000000,?,B!@,00401F8D,00000000,B!@), ref: 00401846
                        • Part of subcall function 00401851: CloseHandle.KERNELBASE(?,00401F93,00000000,00000000,B!@,?), ref: 00401855
                      • LZOpenFileA.LZ32(?,?,00000000), ref: 00401FA5
                      • LZOpenFileA.LZ32(?,?,00001001,?,?,00000000), ref: 00401FBB
                      • LZCopy.LZ32(00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FC4
                      • LZClose.LZ32(00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FCC
                      • LZClose.LZ32(00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FD2
                      • DeleteFileA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FDE
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$Close$Open$CopyCreateDeleteHandleMessageNameTempWritelstrcpylstrlen
                      • String ID: B!@$ext
                      • API String ID: 392910099-188301965
                      • Opcode ID: d1590a1420de76f0933203f5635da461990908acbfb2f756bc827cc8183e489c
                      • Instruction ID: 3d49780117c606b421ba04891a1f67cb2e7e710ea9e2b813183b00db6651fddf
                      • Opcode Fuzzy Hash: d1590a1420de76f0933203f5635da461990908acbfb2f756bc827cc8183e489c
                      • Instruction Fuzzy Hash: 0611B2729001187BDB11BAB5DC85DDB7A7CEB09354F0041B6F704F2091EAB89E898BA8
                      Function 00403ED7 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 486 403ed7-403f1c 487 403f21 486->487 488 403f1e-403f1f 486->488 489 403f27-403f93 call 407870 call 401516 call 403276 call 40412d call 40db8e 487->489 488->489 500 403f95-403f97 489->500 501 403f9c-403fa3 489->501 502 40412a-40412b 500->502 503 403fa5-403fa9 call 4041d0 501->503 504 403fbb-403fef wsprintfA call 4014b7 501->504 506 40411a-40411e 502->506 508 403fae-403fb2 503->508 511 403ff5-403ffb 504->511 512 40410e-404119 call 40dc24 504->512 508->504 510 403fb4-403fb6 508->510 510->502 514 404000-40401b call 401756 511->514 512->506 518 404021-404033 call 40dc8d 514->518 519 40411f-404128 call 401851 514->519 518->519 524 404039-404045 518->524 519->502 525 404075-4040ac wsprintfA call 40dd31 524->525 526 404047-404073 SendDlgItemMessageA * 3 524->526 529 4040c2-4040d4 call 401851 525->529 530 4040ae-4040b5 525->530 526->525 529->512 535 4040d6-4040d9 529->535 531 4040b7-4040ba 530->531 532 4040bf 530->532 531->532 532->529 535->512 536 4040db-4040fe wsprintfA call 4014b7 535->536 538 404103-404108 536->538 538->512 538->514
                      APIs
                      • wsprintfA.USER32 ref: 00403FD7
                      • SendDlgItemMessageA.USER32(00403BB0,000003F0,00000401,00000000,?), ref: 00404058
                      • SendDlgItemMessageA.USER32(00403BB0,000003F0,00000404,00000001,00000000), ref: 00404066
                      • SendDlgItemMessageA.USER32(00403BB0,000003F0,00000402,00000000,00000000), ref: 00404073
                      • wsprintfA.USER32 ref: 00404084
                      • wsprintfA.USER32 ref: 004040F0
                        • Part of subcall function 004041D0: wsprintfA.USER32 ref: 0040421D
                        • Part of subcall function 004041D0: LoadStringA.USER32(0000013E,00000000,00000104), ref: 004042CC
                        • Part of subcall function 004041D0: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004042F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: wsprintf$ItemMessageSend$DirectoryLoadStringSystem
                      • String ID: %spftw%d.pkg$pftw%d.pkg
                      • API String ID: 1650874441-2597992743
                      • Opcode ID: 4eebab618b450aa3f7fd41307a240493ff644f81ebd72e8df54e816575ac87cb
                      • Instruction ID: d6794c9eae18c269eba4de4c763d0b7cb6e321eed27d50aedce7be1bff975677
                      • Opcode Fuzzy Hash: 4eebab618b450aa3f7fd41307a240493ff644f81ebd72e8df54e816575ac87cb
                      • Instruction Fuzzy Hash: 6851A0B2D00209FADF11AF91DC86EEE7B79EB44355F10407BF600B61E0D6799A94CB58
                      Function 004041D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0040421D
                        • Part of subcall function 004014B7: FindFirstFileA.KERNELBASE(00000000,00000000,%spftw%d.pkg,75BF8400), ref: 004014E0
                        • Part of subcall function 004014B7: FindClose.KERNELBASE(00000000), ref: 0040150A
                        • Part of subcall function 00401000: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,75BF8400,00404248,00000000), ref: 00401020
                        • Part of subcall function 00401000: CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00401042
                        • Part of subcall function 00401000: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,%spftw%d.pkg), ref: 00401056
                        • Part of subcall function 00401000: UnmapViewOfFile.KERNEL32(00000000), ref: 0040109E
                        • Part of subcall function 00401000: CloseHandle.KERNEL32(?), ref: 004010AC
                        • Part of subcall function 00401000: CloseHandle.KERNEL32(?), ref: 004010B6
                      • LoadStringA.USER32(0000013E,00000000,00000104), ref: 004042CC
                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004042F0
                      • lstrcpynA.KERNEL32(00000000,00000000,00000004), ref: 00404306
                      • wsprintfA.USER32 ref: 00404321
                      • MessageBoxA.USER32(00000000,00000000,00000010), ref: 00404338
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$Close$CreateFindHandleViewwsprintf$DirectoryFirstLoadMappingMessageStringSystemUnmaplstrcpyn
                      • String ID: %spftw%d.pkg$Strings
                      • API String ID: 814168234-1817537881
                      • Opcode ID: fe1dfde1775bbe96f4860f511b2e31e7a49654d501fba0b44a097d49aca595fd
                      • Instruction ID: aa45d4eb1cc67370b5327d69560b9289235f2cb023d8b4e1b319448ccbc0bd05
                      • Opcode Fuzzy Hash: fe1dfde1775bbe96f4860f511b2e31e7a49654d501fba0b44a097d49aca595fd
                      • Instruction Fuzzy Hash: 774160B2D0011CBBDF21DB94CC45BDA7B7DAB88314F1040F6E609A21A0D7B59B99CF95
                      Function 004030D7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      • GetWindow.USER32(?,00000005), ref: 00403115
                      • wsprintfA.USER32 ref: 00403125
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      • GetWindowTextA.USER32(?,00000000,00000104), ref: 00403155
                      • SetWindowTextA.USER32(?,00000000), ref: 00403174
                      • GetWindowLongA.USER32(00000000,000000F4), ref: 00403181
                      • SetWindowTextA.USER32(00000000), ref: 004031A6
                      • GetWindow.USER32(00000000,00000002), ref: 004031AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Text$wsprintf$LongPrivateProfileString
                      • String ID: Dialog%d
                      • API String ID: 3814457349-3309310893
                      • Opcode ID: 6bc2369422f00086f7a31489e14f0be79116b788b4708b4c32c2a2e818d1f262
                      • Instruction ID: 5046d9b4ebfc913bd1783b0bc3271d78b5d9fbcb43db7c740fe162fa735a6065
                      • Opcode Fuzzy Hash: 6bc2369422f00086f7a31489e14f0be79116b788b4708b4c32c2a2e818d1f262
                      • Instruction Fuzzy Hash: EE218E72900208BBDB119FA5CD49FDF7F7CAB08311F1440B2FA05E51A1DBB49A98CAA5
                      Function 00401000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,75BF8400,00404248,00000000), ref: 00401020
                      • CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00401042
                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,%spftw%d.pkg), ref: 00401056
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040109E
                      • CloseHandle.KERNEL32(?), ref: 004010AC
                      • CloseHandle.KERNEL32(?), ref: 004010B6
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleView$MappingUnmap
                      • String ID: %spftw%d.pkg$MSCF
                      • API String ID: 3514913828-2673492247
                      • Opcode ID: 24f3f7fc801688f9eaf99ce70f6113ee1d9c56ac9f722cffc28ffdcb8119983d
                      • Instruction ID: 691d4bf6ba1683a1953c8008f2bd20b8f17f439e81753d5668e4e6b381f56706
                      • Opcode Fuzzy Hash: 24f3f7fc801688f9eaf99ce70f6113ee1d9c56ac9f722cffc28ffdcb8119983d
                      • Instruction Fuzzy Hash: 68217FB0900209FFDB209F64CD89DAA7B78FB04364F108225F954A62A0D7705E918B64
                      Function 0040598F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00405B28: __EH_prolog.LIBCMT ref: 00405B2D
                        • Part of subcall function 00405B28: GetSystemDefaultLCID.KERNEL32(?,?), ref: 00405B77
                        • Part of subcall function 00405B28: CreateDialogIndirectParamA.USER32(?,?,00000008,?,?), ref: 00405BC2
                      • IsWindow.USER32(00000000), ref: 004059FF
                      • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 00405A1A
                      • IsDialogMessageA.USER32(00000000,00000000,?,?,?,00000084,00000000), ref: 00405A26
                      • TranslateMessage.USER32(00000000), ref: 00405A34
                      • DispatchMessageA.USER32(00000000), ref: 00405A3E
                      • IsWindow.USER32(00000000), ref: 00405A4A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$DialogWindow$CreateDefaultDispatchH_prologIndirectParamPeekSystemTranslate
                      • String ID: IDD_WIZ97SHEET
                      • API String ID: 789772741-3834813342
                      • Opcode ID: acd2d9f31ab4bcb3e27ade1083a15718f9e3fd9ba2b49a1adc342b7c1bed8ea4
                      • Instruction ID: 4c3a5d72348a75fd09bca3f2296b2fc46ebc52f90f9c3c15420638faf67c0e5e
                      • Opcode Fuzzy Hash: acd2d9f31ab4bcb3e27ade1083a15718f9e3fd9ba2b49a1adc342b7c1bed8ea4
                      • Instruction Fuzzy Hash: 1321D332600A06ABDF20ABA5DC84FAB37ADEB44710F004676F512F61E0D7B8D945CF69
                      Function 0040435E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040412D: lstrcpynA.KERNEL32(00000000,00000000,00000104,00000000,00000000,00404390,?,00000000,?,00000000,00000000), ref: 0040413D
                        • Part of subcall function 0040450C: LoadStringA.USER32(0000013B,?, D@,00000040), ref: 00404560
                      • LoadStringA.USER32(0000013A,00000000,00000104), ref: 0040443A
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      • LoadStringA.USER32(00000144,00000000,00000104), ref: 00404466
                      • wsprintfA.USER32 ref: 00404495
                      • MessageBoxA.USER32(00403CB6,00000000,00000015), ref: 004044DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: String$Load$wsprintf$MessagePrivateProfilelstrcpyn
                      • String ID: %s%s$Strings
                      • API String ID: 2647973942-1828133090
                      • Opcode ID: cf7097ee5c24ea06a11e3584fed3c1074670075aeec370264420f76709514dfb
                      • Instruction ID: 2b452fd1fdfa48185843a69e1533de335b8bbc53c06f3961de6cc754a18a61eb
                      • Opcode Fuzzy Hash: cf7097ee5c24ea06a11e3584fed3c1074670075aeec370264420f76709514dfb
                      • Instruction Fuzzy Hash: DD4160B290051CBBEF219A54DC44BDB7B7CAB98304F0044F6E708E2090E6B59B998FA5
                      Function 00403A9E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116stringfileCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyA.KERNEL32(00000000,00000000,00000000,?), ref: 00403B3D
                      • lstrlenA.KERNEL32(00000000), ref: 00403B4A
                      • wsprintfA.USER32 ref: 00403B6E
                      • wsprintfA.USER32 ref: 00403BDF
                      • DeleteFileA.KERNELBASE(00000000), ref: 00403BFD
                        • Part of subcall function 0040341C: lstrlenA.KERNEL32(00000000,000000FF,00000000,00403AEA,?), ref: 00403428
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrlenwsprintf$DeleteFilelstrcpy
                      • String ID: %spftw%d.pkg
                      • API String ID: 298142350-1047716302
                      • Opcode ID: a350e0ecbfcf782c83ba2aa1a11bddb2a86b8900ad44e37ed806e47173306ee1
                      • Instruction ID: ce956ce2abbc573c68776990b765245df5f8392b8224487e3c78295e4a619f1f
                      • Opcode Fuzzy Hash: a350e0ecbfcf782c83ba2aa1a11bddb2a86b8900ad44e37ed806e47173306ee1
                      • Instruction Fuzzy Hash: 4E419372900614FBDB219F65ED84BC63BBCA75531AF1080B7E604F21E2D778AA84CF18
                      Function 00404749 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(00000000,?,?,00000000), ref: 00404797
                      • LoadStringA.USER32(00000032,?,00000104), ref: 004047CF
                      • wsprintfA.USER32 ref: 004047E3
                      • SetDlgItemTextA.USER32(0000007D), ref: 004047FA
                      • SendDlgItemMessageA.USER32(000003F0,00000405,00000000,00000000), ref: 00404812
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Item$CharLoadMessageNextSendStringTextwsprintf
                      • String ID: Dialog1005
                      • API String ID: 1769985620-3824541873
                      • Opcode ID: 0e6cc27e28846d8ee06da9ac82c324bbe2c2274ddb56c06d7c8c7926e3d13150
                      • Instruction ID: 071e3de5d95ee257b914e9ad6e9860549928f8a7bd56e07976be8cec3b2e0207
                      • Opcode Fuzzy Hash: 0e6cc27e28846d8ee06da9ac82c324bbe2c2274ddb56c06d7c8c7926e3d13150
                      • Instruction Fuzzy Hash: 091190B6900115FFD7119FA4ED85EDA3B3CEB88715F00C077F708A21B0E6B45A99CA59
                      Function 0040374D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • CompareStringA.KERNELBASE(00000400,00000001,00000000,?,.exe,?,74DE8A60,74DE83C0,?,00000000,00403592,?,?), ref: 0040377D
                      • CompareStringA.KERNEL32(00000400,00000001,00000000,?,.com,?,?,.exe,?,74DE8A60,74DE83C0,?,00000000,00403592,?,?), ref: 0040378E
                      • CompareStringA.KERNEL32(00000400,00000001,00000000,?,.bat,?,?,.com,?,?,.exe,?,74DE8A60,74DE83C0,?,00000000), ref: 0040379F
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CompareString
                      • String ID: .bat$.com$.exe
                      • API String ID: 1825529933-1058830844
                      • Opcode ID: 97efc997610651e5e4e3691a5de0ed57ee26f16569f8c74785d82ae2295091aa
                      • Instruction ID: b66dab666824bd8ebb6fb95d8a17fbf1f56e98b8f18585c7c3eaa19fd64d8d65
                      • Opcode Fuzzy Hash: 97efc997610651e5e4e3691a5de0ed57ee26f16569f8c74785d82ae2295091aa
                      • Instruction Fuzzy Hash: 3DF01DB5284A1D3AF42029629C89F772E5CC7D3BAAF254177B600B61D0D99A6C815178
                      Function 00402226 Relevance: 9.2, APIs: 6, Instructions: 225windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: DesktopLoadMessageStringWindow
                      • String ID:
                      • API String ID: 3689829364-0
                      • Opcode ID: 11cbdfb3b5e1387e57374a5c9d01a10e7501fb6546081184fb4342370acf85e2
                      • Instruction ID: 42c128e63d39f64f6cf661a9f4263b80dc877af0575e705b197107ede920bc3e
                      • Opcode Fuzzy Hash: 11cbdfb3b5e1387e57374a5c9d01a10e7501fb6546081184fb4342370acf85e2
                      • Instruction Fuzzy Hash: 16816C71D00604EBDB11DFA4DE89AEE77B8BB48305F64857BE601B22D0D3B89E448F58
                      Function 004029F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetDlgItemTextA.USER32(?,000003E8,02161B00), ref: 00402A3A
                      • GetParent.USER32(?), ref: 00402A79
                      • PostMessageA.USER32(00000000,00000470,00000000,00000002), ref: 00402A99
                      • GetDlgItemTextA.USER32(?,000003E8,02161B00,00000104), ref: 00402AC6
                        • Part of subcall function 004032BD: GetDlgItemTextA.USER32(?,?,00000104), ref: 004032E5
                        • Part of subcall function 004032BD: SHBrowseForFolderA.SHELL32(00000000), ref: 00403301
                        • Part of subcall function 004032BD: SHGetPathFromIDListA.SHELL32(00000000), ref: 00403318
                        • Part of subcall function 004032BD: SetDlgItemTextA.USER32(?,?), ref: 00403328
                        • Part of subcall function 004032BD: SHGetMalloc.SHELL32(00000000), ref: 00403332
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ItemText$BrowseFolderFromListMallocMessageParentPathPost
                      • String ID: g
                      • API String ID: 1010951078-30677878
                      • Opcode ID: b742a83b197d47dfac775162a6c5ddbcb7e373c9143dd499ed396366642dcd90
                      • Instruction ID: d8b32ef004fa54378b1191a8e2bc41d3af02711dac178a4e3d8bdd2ffba9f45c
                      • Opcode Fuzzy Hash: b742a83b197d47dfac775162a6c5ddbcb7e373c9143dd499ed396366642dcd90
                      • Instruction Fuzzy Hash: 4131E931750200BBEA229F24DD49F9A3B14EB04720F108237FA18B91E0DBF89D519A5C
                      Function 00405A65 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      • GetModuleHandleA.KERNEL32(00000000,?,?,00000032,?,?,?,00000000), ref: 00405AB9
                      • LoadStringA.USER32(00000000,?,?,?), ref: 00405AC0
                      • lstrcpyA.KERNEL32(00000008,00000001,?,?,?,?,00000000), ref: 00405B10
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: String$HandleLoadModulePrivateProfilelstrcpywsprintf
                      • String ID: Fonts$MS SHELL DLG
                      • API String ID: 4179438950-934462964
                      • Opcode ID: 781aa288f6b884d16fc182600214ea056c811c84ec67e0d8d43a627e3cc57e8f
                      • Instruction ID: b3340a8ccf511f2966212395d6b1658a53f90b9da072ca87f9bae3e61cb4b3b6
                      • Opcode Fuzzy Hash: 781aa288f6b884d16fc182600214ea056c811c84ec67e0d8d43a627e3cc57e8f
                      • Instruction Fuzzy Hash: 0D210532A44218BFDB609F64DC45ACB7B78DB14354F1040B6F684F6180DAB4AEC4CF58
                      Function 004031BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyA.KERNEL32(00000000,?,?,00000104), ref: 004031EA
                        • Part of subcall function 004056A7: lstrcpyA.KERNEL32(004031FC,004031FC,?,00000000,004031FC,00000000), ref: 004056DD
                      • lstrlenA.KERNEL32(00000000), ref: 00403211
                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00403247
                      • GetFileAttributesA.KERNELBASE(00000000), ref: 00403254
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcpy$AttributesFilelstrcatlstrlen
                      • String ID: :
                      • API String ID: 310069060-336475711
                      • Opcode ID: 319e75f54e343a22791ad2ee91426da9a3e1c51d77a2d79d45180236b6f6a881
                      • Instruction ID: db8e461ea4f11f36e1a27dd467dcf5bd8ba1053b5d2fffaabfdbfedaf659a9c1
                      • Opcode Fuzzy Hash: 319e75f54e343a22791ad2ee91426da9a3e1c51d77a2d79d45180236b6f6a881
                      • Instruction Fuzzy Hash: 8B1182B2D00519ABCF209A74DD48BCA7BACDB15711F1049E6E688E6090D7B8DAC48A54
                      Function 004046AE Relevance: 7.6, APIs: 5, Instructions: 59timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401756: lstrlenA.KERNEL32(00000100,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104,00000000,00401208,00000000), ref: 0040179B
                        • Part of subcall function 00401756: lstrcpyA.KERNEL32(00000103,00000104), ref: 004017C0
                        • Part of subcall function 00401756: CreateFileA.KERNELBASE(00000100,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104), ref: 004017D4
                        • Part of subcall function 00401756: MessageBoxA.USER32(00000000,00000000,00000100,00000000), ref: 004017EC
                      • DosDateTimeToFileTime.KERNEL32(?,?,00000000), ref: 004046F3
                      • LocalFileTimeToFileTime.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040470F
                      • SetFileTime.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000), ref: 00404726
                      • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0040472F
                      • SetFileAttributesA.KERNELBASE(?,?,?,?,00000000,?), ref: 0040473D
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$Time$AttributesCloseCreateDateHandleLocalMessagelstrcpylstrlen
                      • String ID:
                      • API String ID: 4208775115-0
                      • Opcode ID: fb7b4647a0fa937278299bdb1fae9b1d9bad741ea6df0dc9ce4f3f42eaf5c9a9
                      • Instruction ID: 61b3019666c1cd91f8ea15d75bb96daa505a9d875bed6fc4ce62bfac5becf82d
                      • Opcode Fuzzy Hash: fb7b4647a0fa937278299bdb1fae9b1d9bad741ea6df0dc9ce4f3f42eaf5c9a9
                      • Instruction Fuzzy Hash: 2F113D76900208BFDB119FA4DC44BEF7BB8FB08321F108626B615E61A0D7B0AA58CB54
                      Function 0040185C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004037B1: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004037D8
                        • Part of subcall function 004037B1: TranslateMessage.USER32(?), ref: 004037E2
                        • Part of subcall function 004037B1: DispatchMessageA.USER32(?), ref: 004037EC
                        • Part of subcall function 004037B1: Sleep.KERNELBASE(000003E8,?,00000000,?,?,?,?,?,004049FA,00000007,00401111), ref: 004037FE
                      • wsprintfA.USER32 ref: 004018BB
                        • Part of subcall function 004045C0: lstrcpyA.KERNEL32(00000000,?,?,?,00000000), ref: 004045F3
                        • Part of subcall function 004045C0: lstrcpyA.KERNEL32(?,?), ref: 0040461E
                        • Part of subcall function 004045C0: lstrcatA.KERNEL32(?,00000000), ref: 0040464A
                        • Part of subcall function 004045C0: lstrcatA.KERNEL32(?,00000000), ref: 00404673
                      • GetFileAttributesA.KERNELBASE(?), ref: 004019CC
                      • SetFileAttributesA.KERNELBASE(?,00000000), ref: 004019DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$AttributesFilelstrcatlstrcpy$DispatchPeekSleepTranslatewsprintf
                      • String ID: %spftw%d.pkg
                      • API String ID: 2142701919-1047716302
                      • Opcode ID: 7e5174a6bd9dd74f641772507cf82392727565d78a5c886f98d7c6dd3dfca26b
                      • Instruction ID: 5032449dbadb55fa08a4c4925c8d66602a1368f41f69c7a135982dda4450436a
                      • Opcode Fuzzy Hash: 7e5174a6bd9dd74f641772507cf82392727565d78a5c886f98d7c6dd3dfca26b
                      • Instruction Fuzzy Hash: 4441E6B2904604FFDB11DBA0DD549DA37A8EB44314F10847BE685F62E0DB789A84CF59
                      Function 0040302A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      • SetDlgItemTextA.USER32(?,00003023,00000000), ref: 00403083
                      • SetDlgItemTextA.USER32(?,00003024,00000000), ref: 004030AB
                      • SetDlgItemTextA.USER32(?,00000002,00000000), ref: 004030D0
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ItemText$PrivateProfileStringwsprintf
                      • String ID: WizardButtons
                      • API String ID: 3553643764-2007458381
                      • Opcode ID: e09057e7fe4b7986bc14f88d13c943a0e20143da502d70cde4d01071ac3bb8b5
                      • Instruction ID: 7ad0cda6faaa613b98af69d845cb9911c67994a298f99c7e9f8dc1adabec92ad
                      • Opcode Fuzzy Hash: e09057e7fe4b7986bc14f88d13c943a0e20143da502d70cde4d01071ac3bb8b5
                      • Instruction Fuzzy Hash: C311E1B2A011183BEB21A655CD86FEB7AACDB44344F0000B2FB48F10D1E7B49F848A69
                      Function 00402099 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempFileNameA.KERNELBASE(plf,00000000,00000000,0000000A,00401DC0,0000000A,?), ref: 004020B9
                        • Part of subcall function 00401F22: GetTempFileNameA.KERNELBASE(ext,00000000,?,?,0000000A,00000000), ref: 00401F59
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00000000), ref: 00401FA5
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00001001,?,?,00000000), ref: 00401FBB
                        • Part of subcall function 00401F22: LZCopy.LZ32(00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FC4
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FCC
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FD2
                        • Part of subcall function 00401F22: DeleteFileA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FDE
                      • MessageBoxA.USER32(00000000,LoadLanguage Failed,00000000,00000000), ref: 004020E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseNameOpenTemp$CopyDeleteMessage
                      • String ID: LoadLanguage Failed$plf
                      • API String ID: 2993821907-1067850953
                      • Opcode ID: 8812dba5c24b17e6dea431f09dd94d20df06281b7fc527fbf134747dabd6b30e
                      • Instruction ID: d38ef79dbff713fefad89899b590b2e6b40c12742f1d6448a2a5f3a417b44fd4
                      • Opcode Fuzzy Hash: 8812dba5c24b17e6dea431f09dd94d20df06281b7fc527fbf134747dabd6b30e
                      • Instruction Fuzzy Hash: 2DF05E71905610BBC7221B62FC09ADB3F59EB45724B10C03AF648901A4DA794950DB9D
                      Function 004045C0 Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyA.KERNEL32(00000000,?,?,?,00000000), ref: 004045F3
                      • lstrcpyA.KERNEL32(?,?), ref: 0040461E
                      • lstrcatA.KERNEL32(?,00000000), ref: 0040464A
                      • lstrcatA.KERNEL32(?,00000000), ref: 00404673
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcatlstrcpy
                      • String ID:
                      • API String ID: 3905823039-0
                      • Opcode ID: a1984d5c9da04d238e69f6078f7d7859324930cbd37cd6f7a9bff8ff729ed6a5
                      • Instruction ID: 61db6aab4e2636be709966db6b3c5c1a35639280622e8394678c83e8d2713a29
                      • Opcode Fuzzy Hash: a1984d5c9da04d238e69f6078f7d7859324930cbd37cd6f7a9bff8ff729ed6a5
                      • Instruction Fuzzy Hash: 9411D6B69002187AEB21A661DC85FEB3B6CDBD6314F0004BBE704B22D1E7BD59858A55
                      Function 00401756 Relevance: 6.1, APIs: 4, Instructions: 66stringfilewindowCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00000100,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104,00000000,00401208,00000000), ref: 0040179B
                      • lstrcpyA.KERNEL32(00000103,00000104), ref: 004017C0
                      • CreateFileA.KERNELBASE(00000100,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104), ref: 004017D4
                      • MessageBoxA.USER32(00000000,00000000,00000100,00000000), ref: 004017EC
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CreateFileMessagelstrcpylstrlen
                      • String ID:
                      • API String ID: 4286855257-0
                      • Opcode ID: 160ebca381690fa461ccf0ab4bcd368d54cf8e795ac6d619ecfe71a26578ce76
                      • Instruction ID: d648a6e928725a24506a6e58ecff152d2494248be4f35687b1ab7fcc704e07b7
                      • Opcode Fuzzy Hash: 160ebca381690fa461ccf0ab4bcd368d54cf8e795ac6d619ecfe71a26578ce76
                      • Instruction Fuzzy Hash: 4811C271740B417AF73186649C8AF6B6688DB46B60F10853FF742B72E1C2B8AC45861D
                      Function 004026A9 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconA.USER32(00000067), ref: 004026E0
                      • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004026FA
                      • LoadImageA.USER32(00000067,00000001,00000010,00000010,00000040), ref: 0040270C
                      • SendMessageA.USER32(?,00000080,00000000,00000000), ref: 00402717
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: LoadMessageSend$IconImage
                      • String ID:
                      • API String ID: 1393091567-0
                      • Opcode ID: 951d98b63cf2b3182dc1eea518742230a3fd432594870e2fc6b43e97917176a0
                      • Instruction ID: 712adf45518970bc22fb11556d945c1ca0ae59e47fa44c3fa285e0ec0003eb18
                      • Opcode Fuzzy Hash: 951d98b63cf2b3182dc1eea518742230a3fd432594870e2fc6b43e97917176a0
                      • Instruction Fuzzy Hash: F301FE72344304BAE1345B25DD8DFAB2F5CD788750F10483BF249B61D0C9F96851D62C
                      Function 004037B1 Relevance: 6.0, APIs: 4, Instructions: 43windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004037D8
                      • TranslateMessage.USER32(?), ref: 004037E2
                      • DispatchMessageA.USER32(?), ref: 004037EC
                      • Sleep.KERNELBASE(000003E8,?,00000000,?,?,?,?,?,004049FA,00000007,00401111), ref: 004037FE
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$DispatchPeekSleepTranslate
                      • String ID:
                      • API String ID: 3768732053-0
                      • Opcode ID: 1778ced49c35210880981aaa6b2ca2567c833012ca698ff1ac7dea32964b9c14
                      • Instruction ID: b106b4398b12ab41475266a23a8f459fc3908085b42c4aafe640db239665424c
                      • Opcode Fuzzy Hash: 1778ced49c35210880981aaa6b2ca2567c833012ca698ff1ac7dea32964b9c14
                      • Instruction Fuzzy Hash: FDF04FB2A04209ABDF009FE5DC85DEF7BBDEB44745F008036F601E7190D6B4DA458BA5
                      Function 00401146 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401240: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00000000,00020019,004011D5,?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401262
                        • Part of subcall function 00401240: RegQueryValueExA.KERNELBASE(004011D5,ProgramFilesDir,00000000,?,?,?,00000104,00000000), ref: 004012A2
                        • Part of subcall function 00401240: lstrlenA.KERNEL32(?,00000104,00000000), ref: 004012AA
                        • Part of subcall function 00401240: RegQueryValueExA.KERNELBASE(004011D5,CommonFilesDir,00000000,00000001,?,00000104,00000000), ref: 004012DA
                        • Part of subcall function 00401240: lstrlenA.KERNEL32 ref: 004012E2
                        • Part of subcall function 00401240: RegCloseKey.KERNELBASE(004011D5,?,004011D5,004084C5,00000000), ref: 004012FA
                        • Part of subcall function 00401240: GetWindowsDirectoryA.KERNEL32(00000104,?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401307
                        • Part of subcall function 00401240: lstrlenA.KERNEL32(?,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401313
                        • Part of subcall function 00401240: lstrcatA.KERNEL32(\SYSTEM32,00000104,00000000,?,?,004011D5,004084C5,00000000), ref: 00401339
                        • Part of subcall function 00401240: lstrlenA.KERNEL32(?,?,004011D5,004084C5,00000000), ref: 00401341
                        • Part of subcall function 00401240: GetSystemDirectoryA.KERNEL32(00000104), ref: 0040135D
                        • Part of subcall function 00401240: lstrlenA.KERNEL32(?,004011D5,004084C5,00000000), ref: 00401369
                        • Part of subcall function 00401240: GetTempPathA.KERNEL32(00000104,004011D5,004084C5,00000000), ref: 00401385
                      • LoadLibraryA.KERNELBASE(RICHED32.DLL,004084C5,00000000), ref: 004011DA
                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 004011FC
                        • Part of subcall function 00401670: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00000000,00401208,00000000), ref: 00401698
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrlen$DirectoryFileQueryValue$CloseLibraryLoadModuleNameOpenPathSizeSystemTempWindowslstrcat
                      • String ID: RICHED32.DLL
                      • API String ID: 1801012914-2327432079
                      • Opcode ID: 6387ecd39f5b754520895771ec538efef8686c4d63ee010c4bbce5f12847ec4c
                      • Instruction ID: 9fe9e06861eea81cc5dc3a537b72b56d1623557e28b9747a8b9982b114dae6ba
                      • Opcode Fuzzy Hash: 6387ecd39f5b754520895771ec538efef8686c4d63ee010c4bbce5f12847ec4c
                      • Instruction Fuzzy Hash: 25219271D05250EBCB219FB5EC959DA3B98AB86304714847FF600FB3E1E67C8885876E
                      Function 00408C0F Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,004089D7,?,?,?,00000100,?,00000000), ref: 00408C37
                      • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004089D7,?,?,?,00000100,?,00000000), ref: 00408C6B
                      • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,004089D7,?,?,?,00000100,?,00000000), ref: 00408C85
                      • HeapFree.KERNEL32(00000000,?,?,00000000,004089D7,?,?,?,00000100,?,00000000), ref: 00408C9C
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AllocHeap$FreeVirtual
                      • String ID:
                      • API String ID: 3499195154-0
                      • Opcode ID: 9104c6e04a7c1f52c897091e5863a706e24b20d54b7387e2ba7ecb5b2e54d051
                      • Instruction ID: 09a40025bf28745f2f8f17adedda66603477c6f17993e16ee4e4dec0d5eaf049
                      • Opcode Fuzzy Hash: 9104c6e04a7c1f52c897091e5863a706e24b20d54b7387e2ba7ecb5b2e54d051
                      • Instruction Fuzzy Hash: 68116A70202250AFD720AF19ED459A27BF5FB843607128A3EE292D61B0C771D856DB28
                      Function 00405B28 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00405B2D
                        • Part of subcall function 004051E5: GetModuleHandleA.KERNEL32(00000000,?,?,?,00000000,00405B48,?,?), ref: 004051F3
                        • Part of subcall function 004051E5: FindResourceA.KERNEL32(00000000,00000005,00000005), ref: 00405202
                        • Part of subcall function 004051E5: LoadResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 0040520C
                        • Part of subcall function 004051E5: SizeofResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 00405216
                        • Part of subcall function 004051E5: LockResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 0040521E
                        • Part of subcall function 00405A65: GetModuleHandleA.KERNEL32(00000000,?,?,00000032,?,?,?,00000000), ref: 00405AB9
                        • Part of subcall function 00405A65: LoadStringA.USER32(00000000,?,?,?), ref: 00405AC0
                        • Part of subcall function 00405A65: lstrcpyA.KERNEL32(00000008,00000001,?,?,?,?,00000000), ref: 00405B10
                      • GetSystemDefaultLCID.KERNEL32(?,?), ref: 00405B77
                        • Part of subcall function 0040557F: GetDC.USER32(00000000), ref: 004055A9
                        • Part of subcall function 0040557F: lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055C7
                        • Part of subcall function 0040557F: lstrcpynA.KERNEL32(?,?,00000020,?,?,00000000), ref: 004055D2
                        • Part of subcall function 0040557F: EnumFontFamiliesExA.GDI32(00405B9D,?,0040566B,?,00000000), ref: 004055E5
                        • Part of subcall function 0040557F: lstrcpyA.KERNEL32(?,System,?,?,00000000), ref: 00405642
                        • Part of subcall function 0040557F: ReleaseDC.USER32(00000000,00405B9D), ref: 0040564C
                        • Part of subcall function 0040557F: lstrcmpiA.KERNEL32(SYSTEM,?), ref: 0040565A
                        • Part of subcall function 00405310: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,?,00000000), ref: 00405380
                      • CreateDialogIndirectParamA.USER32(?,?,00000008,?,?), ref: 00405BC2
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Resource$HandleLoadModulelstrcpylstrcpyn$ByteCharCreateDefaultDialogEnumFamiliesFindFontH_prologIndirectLockMultiParamReleaseSizeofStringSystemWidelstrcmpi
                      • String ID:
                      • API String ID: 938626887-0
                      • Opcode ID: 129a86522b02cbcf6dcfe6f564eba9f45939547f8839a9f4be296024b066be90
                      • Instruction ID: 36f157eb56b17973d0c686b728987bf3004504d771ea6e92297cb1cb3509911f
                      • Opcode Fuzzy Hash: 129a86522b02cbcf6dcfe6f564eba9f45939547f8839a9f4be296024b066be90
                      • Instruction Fuzzy Hash: 9C21907280021DABDF01DFE4CC05AEEBB75FF08304F04452AFA15A6191D7799614CF54
                      Function 00401516 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryA.KERNELBASE(?,00000000,74DF0440), ref: 0040152B
                      • GetLastError.KERNEL32(00000104), ref: 00401532
                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040158E
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CreateDirectory$ErrorLast
                      • String ID:
                      • API String ID: 2485089472-0
                      • Opcode ID: 7480816399114e3e40b2c0c87feceb8d3d5953d0766f68bfbb701f0bac17743d
                      • Instruction ID: 4aa6c50d49d1b6ce745e9d13df1919ea54f18d80819c1477a9f3d57ac67792b1
                      • Opcode Fuzzy Hash: 7480816399114e3e40b2c0c87feceb8d3d5953d0766f68bfbb701f0bac17743d
                      • Instruction Fuzzy Hash: C401F7726142197ADF109674DD00BFF3B6D9B89318F104077F646FD1E4D7B89A81498A
                      Function 004010C2 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401146: LoadLibraryA.KERNELBASE(RICHED32.DLL,004084C5,00000000), ref: 004011DA
                        • Part of subcall function 00401146: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 004011FC
                      • GetDesktopWindow.USER32 ref: 004010FD
                      • ExitProcess.KERNEL32 ref: 0040113B
                        • Part of subcall function 00402226: #17.COMCTL32 ref: 00402254
                      • GetDesktopWindow.USER32 ref: 00401126
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: DesktopWindow$ExitFileLibraryLoadModuleNameProcess
                      • String ID:
                      • API String ID: 917893701-0
                      • Opcode ID: b7f7f7d5244d1f954d9f345c20ee03d3b74cec8d0342c4fe27563428d03b7ad6
                      • Instruction ID: 2f64789ed7ea4405c70ce132d8fcf0bf885d74c719c3dae9ba925df6a10e0132
                      • Opcode Fuzzy Hash: b7f7f7d5244d1f954d9f345c20ee03d3b74cec8d0342c4fe27563428d03b7ad6
                      • Instruction Fuzzy Hash: D2F06D71D00301FBDB517BB19D4E79B3665AB58714F00887BBA40F51F1E7BA84609B1D
                      Function 0040182F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(?,00000000,00401F8D,?,00000000,?,B!@,00401F8D,00000000,B!@), ref: 00401846
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID: B!@
                      • API String ID: 3934441357-1981600975
                      • Opcode ID: 4dbbf5ac012962b76e08347131366eaec85f5966443eb9efadb6ee1fba171d16
                      • Instruction ID: cacac91facd6349f7b3c48ae5e5db845d154cf2f231c7dca36873e12aa78547c
                      • Opcode Fuzzy Hash: 4dbbf5ac012962b76e08347131366eaec85f5966443eb9efadb6ee1fba171d16
                      • Instruction Fuzzy Hash: 89D06C7650020DFBCF01CF80DD05BCD7BB9AB08259F208094BA15A61A0C2B5AA24AB54
                      Function 004049D5 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(6F900000,00401111), ref: 004049DF
                        • Part of subcall function 004070FB: HeapFree.KERNEL32(00000000,?,00000000,0040B30E,0040847B,?,00000000,?,?,?,?,0040847B), ref: 00407122
                      • GetLongPathNameW.KERNELBASE(02161D00,00401111), ref: 00404A16
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Free$HeapLibraryLongNamePath
                      • String ID:
                      • API String ID: 4051324937-0
                      • Opcode ID: c890b9b5a20e0c586349771fbfff4bea8d8b7b4a6f60d46788b812abc228819f
                      • Instruction ID: 3875175216a8d9c052b2e1981048b452b996d726bbec61ddd27748f08548e340
                      • Opcode Fuzzy Hash: c890b9b5a20e0c586349771fbfff4bea8d8b7b4a6f60d46788b812abc228819f
                      • Instruction Fuzzy Hash: D95116E0F48201A6DA25AB7EFC85B9733DC6A84B54314853FB544F7AD1DE3CE841992C
                      Function 00405160 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040518D
                      • ReadFile.KERNELBASE(000000FF,000000FF,00008000,00000000,00000000), ref: 004051A5
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$PointerRead
                      • String ID:
                      • API String ID: 3154509469-0
                      • Opcode ID: d55f5e1435f1b77dba7f361f2dab3186dd218f628a0a2682f0080f277fa87b4c
                      • Instruction ID: dd6868f0dac16c932d35b5b198790bb3735d7f8312db4c027438855880174580
                      • Opcode Fuzzy Hash: d55f5e1435f1b77dba7f361f2dab3186dd218f628a0a2682f0080f277fa87b4c
                      • Instruction Fuzzy Hash: 00112776C0010CBEEF119F95DD448EEBB7DEB043A4B208276F924A51A0D6355E619FA4
                      Function 0040144C Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00401471
                      • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: PrivateProfileStringwsprintf
                      • String ID:
                      • API String ID: 1475573541-0
                      • Opcode ID: ff2a1baf89ea36a2c00e30d4443ecf4a47db35688e4c85522447d71605a2cb6a
                      • Instruction ID: d4381c78bd633c859400592b2717246a1ac88273ba4bdccafb6718ba8c4fb761
                      • Opcode Fuzzy Hash: ff2a1baf89ea36a2c00e30d4443ecf4a47db35688e4c85522447d71605a2cb6a
                      • Instruction Fuzzy Hash: 97F01C72910609BBDF028FA1EC06ADE7BB9EB45318F108165FA05E10A0D3B59664DB59
                      Function 00405C68 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,004068FD,?,00000002), ref: 00405C8A
                      • KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,004068FD,?,00000002), ref: 00405C9B
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CallbackDispatcherUser
                      • String ID:
                      • API String ID: 2492992576-0
                      • Opcode ID: 6fb42aaff412393ea9c4c1ac96b4278fd3ec7e5d3d84268d2cd2964098d6be04
                      • Instruction ID: a741948e1a973bc1e6d8e1d4279d64e3bebfc1ff3fe1807ede60f9970df8da3a
                      • Opcode Fuzzy Hash: 6fb42aaff412393ea9c4c1ac96b4278fd3ec7e5d3d84268d2cd2964098d6be04
                      • Instruction Fuzzy Hash: AFF05E35508B009FE7209F75D98894BB7E8FF80325710487FE896E3550C778A8458A58
                      Function 0040507F Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNELBASE(00000001,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00403E30,?), ref: 0040509C
                        • Part of subcall function 00405160: SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040518D
                        • Part of subcall function 00405160: ReadFile.KERNELBASE(000000FF,000000FF,00008000,00000000,00000000), ref: 004051A5
                      • CloseHandle.KERNELBASE(00000000), ref: 004050B3
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandlePointerRead
                      • String ID:
                      • API String ID: 4133201480-0
                      • Opcode ID: 80311c69c770330fd19bd7c8dd619809b525a446cda0f0d6be6e27abde1d62b5
                      • Instruction ID: 9a7636f041ee3564ad8173d98e2dd2597fe1a6bfa56abd9761249e669ab5d482
                      • Opcode Fuzzy Hash: 80311c69c770330fd19bd7c8dd619809b525a446cda0f0d6be6e27abde1d62b5
                      • Instruction Fuzzy Hash: 5AE0863260152076D2313337BC0AF9F1965DBC6B34F15063AFA54F61D1CA740D1245AD
                      Function 00408536 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00408456,00000000), ref: 00408547
                        • Part of subcall function 00408572: HeapAlloc.KERNEL32(00000000,00000140,0040855B), ref: 0040857F
                      • HeapDestroy.KERNEL32 ref: 00408565
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Heap$AllocCreateDestroy
                      • String ID:
                      • API String ID: 2236781399-0
                      • Opcode ID: 0ea730ae1ad2baaca2058db7d3a322329f30285e35163929464997a07596325e
                      • Instruction ID: bc912c8703b9337f566e30a765f8ab6332a54853d322c52fb36096c8bf8b0eec
                      • Opcode Fuzzy Hash: 0ea730ae1ad2baaca2058db7d3a322329f30285e35163929464997a07596325e
                      • Instruction Fuzzy Hash: E6E012717553007EEB51AB30AE057A635D4BB447D2F01C83AF541D51E0EFB4C660E509
                      Function 00401670 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401756: lstrlenA.KERNEL32(00000100,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104,00000000,00401208,00000000), ref: 0040179B
                        • Part of subcall function 00401756: lstrcpyA.KERNEL32(00000103,00000104), ref: 004017C0
                        • Part of subcall function 00401756: CreateFileA.KERNELBASE(00000100,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104), ref: 004017D4
                        • Part of subcall function 00401756: MessageBoxA.USER32(00000000,00000000,00000100,00000000), ref: 004017EC
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00000000,00401208,00000000), ref: 00401698
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CreateMessageSizelstrcpylstrlen
                      • String ID:
                      • API String ID: 1768807334-0
                      • Opcode ID: 799531bbf07d4fe71d525c121706e1f7adeb57acfa10fd091d1559e229bcd7dc
                      • Instruction ID: b04408412cdc9cc4ae6b0e41157a08f99d2ea409788b12ed225c38f5aed267e3
                      • Opcode Fuzzy Hash: 799531bbf07d4fe71d525c121706e1f7adeb57acfa10fd091d1559e229bcd7dc
                      • Instruction Fuzzy Hash: A811C432A015107BC22277A66C86EAB36A8DBC6728B54413FF500771F1EA7D594246AE
                      Function 00407168 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,0040714C,000000E0,00407139,?,0040B38D,00000100,?,00000000), ref: 00407196
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: c54184ddb4596feabea151f2da014267cd48628534518357f67747790fc1f27b
                      • Instruction ID: 68cba48aff098558ece5b6ce3b2c2d5251bd07b84e7d9819f422273935ed8ecc
                      • Opcode Fuzzy Hash: c54184ddb4596feabea151f2da014267cd48628534518357f67747790fc1f27b
                      • Instruction Fuzzy Hash: A3E0C232D4A13066DA2176147C007CB2704AB11360F068232FC807F3E5C7787C5286DD
                      Function 0040180D Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(00000000,00000000,00000040,00000000,00000000,00000030,?,00401A5E,00000000,?,00000040,00000000,00000000), ref: 00401824
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 8661fbcb63f51d63041cd7729e472230e546cae407b5ead1504f447bef004b4a
                      • Instruction ID: 7275ded055ed61c274620730d8252ca8d63b4db65ccd0ccffbca3a2f8841c152
                      • Opcode Fuzzy Hash: 8661fbcb63f51d63041cd7729e472230e546cae407b5ead1504f447bef004b4a
                      • Instruction Fuzzy Hash: 68D0923650020DFBCF02CF80DD05FCD7BB9AB08369F208054BA15A6160C3B5AB64AB54
                      Function 0040149E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?,004013AA), ref: 004014A2
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: b801acc0f85636fcc91f8a26c37dba2480a35b330d727cab37c59ba8482d8e77
                      • Instruction ID: a0351f9c578c427dd73a5108bed6660a7c32776acb9017174633d820dc707a06
                      • Opcode Fuzzy Hash: b801acc0f85636fcc91f8a26c37dba2480a35b330d727cab37c59ba8482d8e77
                      • Instruction Fuzzy Hash: 53B09272520840669A010A30EE5644A3562FA9173ABD04BB1F675D01F0C73AC820E508
                      Function 004017F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(00000040,00000040,00000000,00000000,00401A68,00000000,?,00000000,00000000,?,00000040,00000000,00000000,00000000), ref: 00401806
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 177e45a9e7cba50facd63a7d387b0a93ab896b543eeb11eb8958930f9b78c95e
                      • Instruction ID: d870a17922103da0d70e15984702df6c6a1d33245101fd9cfec8e2363d2150c8
                      • Opcode Fuzzy Hash: 177e45a9e7cba50facd63a7d387b0a93ab896b543eeb11eb8958930f9b78c95e
                      • Instruction Fuzzy Hash: 99B09231008341BFCF02CF90CD04B1ABBA2BB88300F108C18F3A0400B0C3728024EB06
                      Function 00401851 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,00401F93,00000000,00000000,B!@,?), ref: 00401855
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 728fefd60b0b35c3a514954034d182b4d176877c303180a377cd40e36b8b8834
                      • Instruction ID: eb4404a9a96e30f7e69d6406788989b6033495f5cd24c3895b998ba99fa92e39
                      • Opcode Fuzzy Hash: 728fefd60b0b35c3a514954034d182b4d176877c303180a377cd40e36b8b8834
                      • Instruction Fuzzy Hash: 6F900270544100ABCE059B21DF094497A71EBC0701B408564A14980030C7714820EA05

                      Non-executed Functions

                      Function 0040CE7F Relevance: 26.7, Strings: 21, Instructions: 417COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID:
                      • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
                      • API String ID: 0-1157002505
                      • Opcode ID: fcc2e08c8b631dc74d8412d31f4d3f409fbaca60f233a1b8279e074e83cf6662
                      • Instruction ID: 4fa908855f77ee8406ecb74d9ad7aa5266af32715d9f49c5f7b70fd62aef7d01
                      • Opcode Fuzzy Hash: fcc2e08c8b631dc74d8412d31f4d3f409fbaca60f233a1b8279e074e83cf6662
                      • Instruction Fuzzy Hash: 37E1C231E44109DEEB258FA4C8457FE7BB2BB44304F28417BE401BA2C1D77D898ADB5A
                      Function 0040C84D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,0040B765,?,Microsoft Visual C++ Runtime Library,00012010,?,004126D4,?,004141CC,?,?,?,Runtime Error!Program: ), ref: 0040C85F
                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040C877
                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040C888
                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040C895
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                      • API String ID: 2238633743-4044615076
                      • Opcode ID: 2c08c160cabaa8a8684d14fc4c400b1a2a13700202fe84ea26e1a78ef5d95460
                      • Instruction ID: a2d2de05744b722e83c6cfe1c153165ae39757c6cef8968f5ec7b2e2db0ee49d
                      • Opcode Fuzzy Hash: 2c08c160cabaa8a8684d14fc4c400b1a2a13700202fe84ea26e1a78ef5d95460
                      • Instruction Fuzzy Hash: B901DD32600712EBD700AFBC9DC4EEB3FE8D684742304813BB110E2291D6749890976C
                      Function 004051E5 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,00000000,00405B48,?,?), ref: 004051F3
                      • FindResourceA.KERNEL32(00000000,00000005,00000005), ref: 00405202
                      • LoadResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 0040520C
                      • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 00405216
                      • LockResource.KERNEL32(00000000,00000000,?,00000000,00405B48,?,?), ref: 0040521E
                        • Part of subcall function 0040527C: GlobalAlloc.KERNEL32(00000040,?,?,0040522C,00000000,?,00000000,00405B48,?,?), ref: 0040528C
                        • Part of subcall function 0040527C: GlobalLock.KERNEL32(00000000), ref: 0040529A
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Resource$GlobalLock$AllocFindHandleLoadModuleSizeof
                      • String ID:
                      • API String ID: 2547615424-0
                      • Opcode ID: 4c8094fb3ada3b98295291b5c9c3a9c01487f3c09283f38f5b2e2af747316cec
                      • Instruction ID: de5ef869fcf4ef508a2e827b2bab79e4a949efc4064d740cfd22699d8c2ab974
                      • Opcode Fuzzy Hash: 4c8094fb3ada3b98295291b5c9c3a9c01487f3c09283f38f5b2e2af747316cec
                      • Instruction Fuzzy Hash: 5CE0C072201118AFD2005BA59D48EBB7EACDB8D796B01813AF705C6151DAE50C618B79
                      Function 004083F7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • GetVersion.KERNEL32 ref: 0040841D
                        • Part of subcall function 00408536: HeapCreate.KERNELBASE(00000000,00001000,00000000,00408456,00000000), ref: 00408547
                        • Part of subcall function 00408536: HeapDestroy.KERNEL32 ref: 00408565
                      • GetCommandLineA.KERNEL32 ref: 0040846B
                      • GetStartupInfoA.KERNEL32(?), ref: 00408496
                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004084B9
                        • Part of subcall function 00408512: ExitProcess.KERNEL32 ref: 0040852F
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                      • String ID:
                      • API String ID: 2057626494-0
                      • Opcode ID: db10914e32edd0039dc9a457c0968b9f07248b941bb5e22fceee26f8aafc3ba5
                      • Instruction ID: 110b561a744975267c16f13e590b4ebc47db173b56b63ffd65a1432a5bc85de9
                      • Opcode Fuzzy Hash: db10914e32edd0039dc9a457c0968b9f07248b941bb5e22fceee26f8aafc3ba5
                      • Instruction Fuzzy Hash: 1F2181B1940B09ABD704EFA5ED05AAE7BA8EF48704F10813FF905B72D1DB784940CB99
                      Function 004021D1 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,004151D4,000000FF,00000000,00000000,00000100,C0000000,004017E9,00000100,00000000), ref: 004021E3
                      • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 004021F1
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 784879e78bba882b43614cc7cf06658e4b10bd90db45f3d2ac3b233f654681d3
                      • Instruction ID: 42956032605df4f5bc11f333a7baa1c210bc2f02816cb2256c8f8360b3d91cd9
                      • Opcode Fuzzy Hash: 784879e78bba882b43614cc7cf06658e4b10bd90db45f3d2ac3b233f654681d3
                      • Instruction Fuzzy Hash: 39F0E572B89751BAE62206A16E4DFE7BB4CDF50B51F10047AFA40FE1C1C6F459108368
                      Function 004105DD Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID:
                      • String ID: 9@$HNA
                      • API String ID: 0-671729117
                      • Opcode ID: 1d173fbb2abb71ff08803f9136e94508276360cf715339d564cac1c4a5d1ac18
                      • Instruction ID: 98adc2de23927d0aa38cd2a01be3a7d7405cc368d66449dc16c4822be9f9bad2
                      • Opcode Fuzzy Hash: 1d173fbb2abb71ff08803f9136e94508276360cf715339d564cac1c4a5d1ac18
                      • Instruction Fuzzy Hash: BBF1BD71900709DBEB28CE55C9907EFB7F1EF90305F20842EC49297681D7B8AAC5DB98
                      Function 00405CD0 Relevance: 2.5, APIs: 2, Instructions: 8memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000000,00405D25,00000000,?,?,00000000,?,004059C2,?,?,00000084), ref: 00405CDD
                      • HeapFree.KERNEL32(00000000,?,004059C2,?,?,00000084), ref: 00405CE4
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Heap$FreeProcess
                      • String ID:
                      • API String ID: 3859560861-0
                      • Opcode ID: d34a322f4a604cbc400488b3a746b1cfbf7570964e71a375cb59356bf4300c13
                      • Instruction ID: 7fbaee6f6d1a35e1cbef67cac8ac2f27d744f7240e0cbd75a42879a0bff1bbf8
                      • Opcode Fuzzy Hash: d34a322f4a604cbc400488b3a746b1cfbf7570964e71a375cb59356bf4300c13
                      • Instruction Fuzzy Hash: 53C04C75548310BBDF059B909F0CB5A7664FB54702F048428B249910A0C6B44410DB19
                      Function 0040FE4E Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID:
                      • String ID: c
                      • API String ID: 0-112844655
                      • Opcode ID: c9c71eafd4540973acd124923c733c83953f435c288bcec732d2f8be06a77239
                      • Instruction ID: 660528b5f01905f22434dfd1a5f3637125090c9bb3a64a57841624dfdc74dddf
                      • Opcode Fuzzy Hash: c9c71eafd4540973acd124923c733c83953f435c288bcec732d2f8be06a77239
                      • Instruction Fuzzy Hash: 2F22C074D04219DFCB18CF98C594AEEBBF1FF49301F2480AAE855AB351D3789A81DB54
                      Function 0040C702 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000C6BC), ref: 0040C707
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: b1c792826e018ced83509cb339e4ce5263a1727c449893b3037e85927d63ab6d
                      • Instruction ID: 7b0a87423513128ae784fc0bfe0a1bc1c82310f660ca7bd924d8450a5379b363
                      • Opcode Fuzzy Hash: b1c792826e018ced83509cb339e4ce5263a1727c449893b3037e85927d63ab6d
                      • Instruction Fuzzy Hash: E0A022F00C0202FBC3008F28AE88AC03EA0F2C0303300823FE002C02A0EFB000808E0C
                      Function 0040C714 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 0040C719
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: ada964211a370a9e244e619cb56415e542eefa9fa7269d5c6e1a5f6888761bc2
                      • Instruction ID: 70f1cb7459c344fb22c87c7926f0a0aa50e7e7debb98bf2365d0308aee8117ae
                      • Opcode Fuzzy Hash: ada964211a370a9e244e619cb56415e542eefa9fa7269d5c6e1a5f6888761bc2
                      • Instruction Fuzzy Hash:
                      Function 00406194 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 119windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 004061CA
                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004061E8
                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 004061F8
                      • CreateFontIndirectA.GDI32(?), ref: 00406209
                      • SelectObject.GDI32(?,00000000), ref: 00406219
                      • GetDlgItem.USER32(?,000003EE), ref: 00406232
                      • GetWindowTextA.USER32(00000000,?,?), ref: 00406235
                      • GetTextExtentPointA.GDI32(?,?,00000000,?), ref: 00406251
                      • SelectObject.GDI32(?,?), ref: 0040625D
                      • DeleteObject.GDI32(00000000), ref: 00406260
                      • ReleaseDC.USER32(?,?), ref: 0040626D
                      • GetDlgItem.USER32(?,000003ED), ref: 0040627D
                      • GetWindowRect.USER32(00000000), ref: 00406280
                      • ScreenToClient.USER32(?,?), ref: 0040628B
                      • GetDlgItem.USER32(?,000003EE), ref: 004062BC
                      • MoveWindow.USER32(00000000,?,?,?), ref: 004062BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Object$ItemWindow$SelectText$ClientCreateDeleteExtentFontIndirectMessageMovePointRectReleaseScreenSend
                      • String ID:
                      • API String ID: 1906446766-3916222277
                      • Opcode ID: db61f71ffd758ce949a9ed9640cc3de9257c8b8ed1b244d5e76a96b8e29b7313
                      • Instruction ID: ca499a5e408ec7ab59b7c69884ede296a21effe92f141669020696510152c611
                      • Opcode Fuzzy Hash: db61f71ffd758ce949a9ed9640cc3de9257c8b8ed1b244d5e76a96b8e29b7313
                      • Instruction Fuzzy Hash: 6E411972900209BFEF119FE4DD49EEEBB7DEB48350F008165F605E6190D6B86A19CB64
                      Function 00404823 Relevance: 21.1, APIs: 14, Instructions: 130windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00030426), ref: 0040483B
                      • IsWindowEnabled.USER32(?), ref: 00404851
                      • EnableWindow.USER32(?,00000000), ref: 0040485D
                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,004019A7,?,?), ref: 0040489D
                      • UpdateWindow.USER32(00000000), ref: 004048A4
                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004048CF
                      • IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,004019A7,?,?), ref: 004048DC
                      • TranslateMessage.USER32(?), ref: 004048EA
                      • DispatchMessageA.USER32(?), ref: 004048F4
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097,?,?,?,?,?), ref: 00404913
                      • EnableWindow.USER32(?,00000001), ref: 00404924
                      • GetActiveWindow.USER32 ref: 0040492E
                      • SetActiveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,004019A7,?,?), ref: 00404939
                      • DestroyWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,004019A7,?,?), ref: 00404940
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Message$ActiveEnable$DestroyDialogDispatchEnabledParentPeekShowTranslateUpdate
                      • String ID:
                      • API String ID: 1591417340-0
                      • Opcode ID: f04d2bf1f97b1fc075c7de03b284028c580b95ffe96ae3cc894f60f5c3b703f8
                      • Instruction ID: 87953e5d75c2a836d255e960ead31dd9a52aee02a63938c32a53683bd237ab9b
                      • Opcode Fuzzy Hash: f04d2bf1f97b1fc075c7de03b284028c580b95ffe96ae3cc894f60f5c3b703f8
                      • Instruction Fuzzy Hash: A34197B1900204EBDB119FB4DD88ADF7B78EB85711F108576F601F62E0D3B99D418B69
                      Function 00404DAC Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78stringCOMMON
                      Download Yara Rule
                      APIs
                      • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00404DF3
                      • GetPrivateProfileSectionA.KERNEL32(rename,00000000,00007CFF,wininit.ini), ref: 00404E19
                      • GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00404E30
                      • WritePrivateProfileStringA.KERNEL32(rename,NUL,00000000,wininit.ini), ref: 00404E48
                      • lstrcatA.KERNEL32(00000000,NUL), ref: 00404E66
                      • lstrcatA.KERNEL32(?,00414204), ref: 00404E70
                      • lstrcatA.KERNEL32(?,00000000), ref: 00404E7C
                      • lstrcatA.KERNEL32(?,004152DC), ref: 00404E86
                      • WritePrivateProfileSectionA.KERNEL32(rename,00000000,wininit.ini), ref: 00404E91
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrcat$PrivateProfile$SectionWrite$FileMoveNamePathShortString
                      • String ID: NUL$rename$wininit.ini
                      • API String ID: 3702721171-3118012028
                      • Opcode ID: 5b1d87ad34000d130ada677804c52f14cf39153350497bbf68d4e1eccbbc463d
                      • Instruction ID: 44ac0d99c091c57be087b34bbfce438d079d8cc3311f0e8cdc8515d5868941a6
                      • Opcode Fuzzy Hash: 5b1d87ad34000d130ada677804c52f14cf39153350497bbf68d4e1eccbbc463d
                      • Instruction Fuzzy Hash: E62160B2904158BBEB119B50CD44FEB3F69EB49750F0040F6BB08E6190D7F8AED48AD5
                      Function 00404FD9 Relevance: 15.1, APIs: 10, Instructions: 57windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(00000076,00000002,00000000), ref: 00404FE4
                      • LoadResource.KERNEL32(00000000), ref: 00404FF9
                      • LockResource.KERNEL32(00000000), ref: 00405000
                      • GetDC.USER32(?), ref: 00405012
                      • SelectPalette.GDI32(00000000,00000000), ref: 0040502B
                      • RealizePalette.GDI32(00000000), ref: 00405032
                      • CreateDIBitmap.GDI32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 0040504A
                      • SendDlgItemMessageA.USER32(?,00000085,00000172,00000000,00000000), ref: 00405061
                      • ReleaseDC.USER32(?,00000000), ref: 0040506E
                      • DeleteObject.GDI32(00000000), ref: 00405075
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Resource$Palette$BitmapCreateDeleteFindItemLoadLockMessageObjectRealizeReleaseSelectSend
                      • String ID:
                      • API String ID: 716246171-0
                      • Opcode ID: 3086349a3ecf33918a2f89daca0e1f69a4bfff449a9f877a02cd86a3e917f8b3
                      • Instruction ID: f6c8a51e7323a5ad3c1b7bdc6630a279e131523e9fb1a6d7c51805cd61edb7f7
                      • Opcode Fuzzy Hash: 3086349a3ecf33918a2f89daca0e1f69a4bfff449a9f877a02cd86a3e917f8b3
                      • Instruction Fuzzy Hash: 2A118E72600610BBE2211B60ED0DFEB7F6DFF88711F008135F749E50A0C6B58821CB68
                      Function 0040B641 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B6AE
                      • GetStdHandle.KERNEL32(000000F4,004126D4,00000000,?,00000000,00000000), ref: 0040B784
                      • WriteFile.KERNEL32(00000000), ref: 0040B78B
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$HandleModuleNameWrite
                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hGA
                      • API String ID: 3784150691-692902864
                      • Opcode ID: b82ad97ddfb32473c4bc5b21fb492ad2fcdf24fb71fc5b18de7c69f815cda3d0
                      • Instruction ID: b4462bfa083f7af73f29c928fa922b7a41817f6883f61b5d4d3ee71d16e38974
                      • Opcode Fuzzy Hash: b82ad97ddfb32473c4bc5b21fb492ad2fcdf24fb71fc5b18de7c69f815cda3d0
                      • Instruction Fuzzy Hash: 0B31A472A00218AEDB24E660CD4AFDA336CEB85304F10457BF584F61D0D7B8A994CA5E
                      Function 004062CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • MapDialogRect.USER32(?,00000007), ref: 00406307
                      • GetClientRect.USER32(?,00000000), ref: 00406312
                      • GetDlgItem.USER32(?,000003EC), ref: 00406322
                      • GetWindowRect.USER32(00000000), ref: 00406329
                      • ScreenToClient.USER32(?,00000000), ref: 0040633A
                      • ScreenToClient.USER32(?,?), ref: 00406341
                      • GetObjectA.GDI32(?,00000018,00000000), ref: 00406375
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ClientRect$Screen$DialogItemObjectWindow
                      • String ID: Bd@
                      • API String ID: 2622344874-4212289423
                      • Opcode ID: f0ac59519b26cde80738d1d94da31775a44f3b99d480b268173681cb876d2f50
                      • Instruction ID: c9274b6eebccd9b8d3d9bc2608275fa47cfbac90f6cfad8f679cac73dbcf55c7
                      • Opcode Fuzzy Hash: f0ac59519b26cde80738d1d94da31775a44f3b99d480b268173681cb876d2f50
                      • Instruction Fuzzy Hash: 10314B72910A19AFEB01CFB8CD44AEFB7F8FF08315F048529E906E3250D774A9058B95
                      Function 00403958 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringA.USER32(?,?), ref: 00403967
                      • wsprintfA.USER32 ref: 004039E5
                      • SetWindowTextA.USER32(?,?), ref: 004039F4
                      • SendMessageA.USER32(?,00000444,00000001,?), ref: 00403A0E
                      • wsprintfA.USER32 ref: 00403A38
                      • SendMessageA.USER32(?,000000C2,00000000,?), ref: 00403A4F
                      • SendMessageA.USER32(?,000000C2,00000000,004141CC), ref: 00403A5C
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: MessageSend$wsprintf$LoadStringTextWindow
                      • String ID: Dialog1000
                      • API String ID: 1247558384-2476676158
                      • Opcode ID: 90d21895639a88f7b578f33763d32c6b16da047dbf3b098fbd79fd8d4fb90625
                      • Instruction ID: fac89a0a4587f520db6655a93f5b3b9ddb9dffb8d246bdbcd38163ceb869b351
                      • Opcode Fuzzy Hash: 90d21895639a88f7b578f33763d32c6b16da047dbf3b098fbd79fd8d4fb90625
                      • Instruction Fuzzy Hash: CC317372900118BADB21EB91DC89FDF7B7CEB48304F0040B6FA08E20A1D7749A95CF65
                      Function 00403813 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongA.USER32(?,000000F0), ref: 00403837
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040384E
                      • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00403857
                      • SendMessageA.USER32(?,00000449,00000002,00000000), ref: 00403899
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 004038A7
                      • SendMessageA.USER32(?,000000B1,000000FF,00000000), ref: 004038B5
                      • SetFocus.USER32(?,?,00000000), ref: 004038BA
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend$Focuslstrlen
                      • String ID: {\rtf1
                      • API String ID: 1463997157-3715308267
                      • Opcode ID: 25fc9b2c7025959f88f0e9b97fd4b471e745459e4c61373e9b425d357c3acaf2
                      • Instruction ID: ef0bba173b49dc582886fb305908afcbb703c2142a937954d44eb11827a162af
                      • Opcode Fuzzy Hash: 25fc9b2c7025959f88f0e9b97fd4b471e745459e4c61373e9b425d357c3acaf2
                      • Instruction Fuzzy Hash: C7117271900109BFDB019FA8CC45BEEBBB8EB44360F208365F925E61E0D7705A558B95
                      Function 0040549A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,%spftw%d.pkg,75BF8400,00403B98,00000000,?), ref: 004054B2
                      • GetFileSize.KERNEL32(00000000,00000000,00000001), ref: 004054C2
                      • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 004054D3
                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 004054E6
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00405506
                      • CloseHandle.KERNEL32(00000000), ref: 0040550D
                      • CloseHandle.KERNEL32(00000000), ref: 00405515
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                      • String ID: %spftw%d.pkg
                      • API String ID: 1223616889-1047716302
                      • Opcode ID: 432f85b9fc5f76caaaf428522d47ed0c775c4fe045395dfe35b60da7e5b3beb5
                      • Instruction ID: 3bc9cf321d2a60e8dc533b6ed8f2db547ff63789434dd76829deba8668660a3e
                      • Opcode Fuzzy Hash: 432f85b9fc5f76caaaf428522d47ed0c775c4fe045395dfe35b60da7e5b3beb5
                      • Instruction Fuzzy Hash: 44017C312412207BC2206B72AD4DFDB7E6DEF8ABB4F004525F609E21A2D6B54811CAF8
                      Function 0040B794 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                      Download Yara Rule
                      APIs
                      • LCMapStringW.KERNEL32(00000000,00000100,00412320,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040B7D6
                      • LCMapStringA.KERNEL32(00000000,00000100,0041231C,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040B7F2
                      • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040B83B
                      • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040B873
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040B8CB
                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040B8E1
                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040B914
                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040B97C
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: String$ByteCharMultiWide
                      • String ID:
                      • API String ID: 352835431-0
                      • Opcode ID: b729e74068129f205bc8277130277729828aa075cc7717982e5e28bf36528536
                      • Instruction ID: 78c7f406accf89e0c523f4e72ed55e3a0d43c8140091b43977c5bfec74038c27
                      • Opcode Fuzzy Hash: b729e74068129f205bc8277130277729828aa075cc7717982e5e28bf36528536
                      • Instruction Fuzzy Hash: 69514C71900209BBCF218F54DD85AEF7BB9FB48750F10812AFA15B12A0D3398D61DBA9
                      Function 0040283F Relevance: 13.6, APIs: 9, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00402865
                      • GetDlgItem.USER32(00000000), ref: 0040286C
                      • IsDlgButtonChecked.USER32(?,00000079), ref: 00402879
                      • EnableWindow.USER32(00000000,00000000), ref: 00402881
                      • GetDlgItem.USER32(?,000003EA), ref: 00402891
                      • SendMessageA.USER32(00000000,00000443,00000000,00FFFFFF), ref: 004028A6
                      • CheckRadioButton.USER32(?,00000079,0000007A,0000007A), ref: 004028D9
                      • PostMessageA.USER32(?,00000470,00000000,00000002), ref: 0040291B
                      • PostMessageA.USER32(?,00000111,00000000,00000000), ref: 00402929
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$ButtonItemPost$CheckCheckedEnableParentRadioSendWindow
                      • String ID:
                      • API String ID: 1484406288-0
                      • Opcode ID: 8c336ff869eca5197952ac91f2f78bc070316a90b9c37ed81ccb82b2d891966d
                      • Instruction ID: 488ee90fc7214c0712227462a830414e412b42f35368e81c9257e76ecf432a32
                      • Opcode Fuzzy Hash: 8c336ff869eca5197952ac91f2f78bc070316a90b9c37ed81ccb82b2d891966d
                      • Instruction Fuzzy Hash: BE21B572344204BBEB255F64ED0EFAA3B54EF04750F108136FA05BA1E0C7F95D519659
                      Function 004058B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57librarystringloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(MPR.DLL,WNetUseConnectionA,00000000,00000000,?,?,?,?,?,?,00405832,?,?,00000104), ref: 004058D4
                      • GetProcAddress.KERNEL32(00000000), ref: 004058DB
                      • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,00405832,?,?,00000104), ref: 004058F7
                      • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00405832,?,?,00000104), ref: 00405901
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: lstrlen$AddressLibraryLoadProc
                      • String ID: 2X@$MPR.DLL$WNetUseConnectionA
                      • API String ID: 2152392224-2214165922
                      • Opcode ID: cf6d186438fbc2c7c74569087fc3f14d50a64895058f98a6ddb1238bec3e3bad
                      • Instruction ID: 4eca3de1deaa5303d486441a0c1bbdafad80c5fc28b6fc03766e8d1f14fded6d
                      • Opcode Fuzzy Hash: cf6d186438fbc2c7c74569087fc3f14d50a64895058f98a6ddb1238bec3e3bad
                      • Instruction Fuzzy Hash: 34113CB2944208BEEB01DFA4CD84ADFBBBCEF48354F10447AF541F6140D6B59A458B68
                      Function 0040B24A Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040847B), ref: 0040B265
                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040847B), ref: 0040B279
                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040847B), ref: 0040B2A5
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040847B), ref: 0040B2DD
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040847B), ref: 0040B2FF
                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040847B), ref: 0040B318
                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040847B), ref: 0040B32B
                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040B369
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                      • String ID:
                      • API String ID: 1823725401-0
                      • Opcode ID: 23a7efd19a5ddc72c0f93bfc9feb7967ce35e574b59852a46864b329d4d4bdef
                      • Instruction ID: 4b07dd50948ebc8a013a3804503f52ded317cff9192abdefc9fc1ea59610e238
                      • Opcode Fuzzy Hash: 23a7efd19a5ddc72c0f93bfc9feb7967ce35e574b59852a46864b329d4d4bdef
                      • Instruction Fuzzy Hash: 6931F472408255AFD7306B785C8897F769CEA85354725463BFD85E3280E7798C4182ED
                      Function 00402728 Relevance: 12.1, APIs: 8, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendDlgItemMessageA.USER32(?,00000085,?,?,?), ref: 00402762
                      • GetParent.USER32(?), ref: 0040277F
                      • GetDlgItem.USER32(00000000), ref: 00402786
                      • SetFocus.USER32(00000000), ref: 0040278D
                      • GetDlgItem.USER32(?,000003FD), ref: 004027A0
                      • SendMessageA.USER32(00000000,00000443,00000000,00FFFFFF), ref: 004027B5
                      • PostMessageA.USER32(?,00000470,00000000,00000002), ref: 0040281B
                      • PostMessageA.USER32(?,00000111,00000006,00000000), ref: 00402829
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Message$Item$PostSend$FocusParent
                      • String ID:
                      • API String ID: 2726575069-0
                      • Opcode ID: b2a9e31679dd351003b95fed50978854f923bbeaf725fb269192ef72f5157f5d
                      • Instruction ID: f73356103dbe51f1061838bad08c627cb2c69e157dde606b1cbf578ff6c3c2de
                      • Opcode Fuzzy Hash: b2a9e31679dd351003b95fed50978854f923bbeaf725fb269192ef72f5157f5d
                      • Instruction Fuzzy Hash: 5721B432240205BBEB216F64DE0DFAA3B65EB04710F10C236F605BA1E0C7F9DA51DB59
                      Function 004066B0 Relevance: 12.0, APIs: 8, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32 ref: 004066D3
                      • SelectPalette.GDI32(00000000,?,00000000), ref: 004066E5
                      • RealizePalette.GDI32(00000000), ref: 004066F2
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?,?,00406E52,00000000), ref: 004066FD
                      • UpdateWindow.USER32 ref: 00406704
                      • SelectPalette.GDI32(00000000,?,00000001), ref: 00406711
                      • RealizePalette.GDI32(00000000), ref: 00406714
                      • ReleaseDC.USER32(?,00000000), ref: 00406718
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Palette$RealizeSelect$InvalidateRectReleaseUpdateWindow
                      • String ID:
                      • API String ID: 1074785300-0
                      • Opcode ID: 644d25e40d8d3a3637555d79e6b59949f4785aaf0feba05479040a3805643c1b
                      • Instruction ID: e222495b99f0a07c5a8f7d4a18cf141aa2d6492c20a5182537930abe794a2dcf
                      • Opcode Fuzzy Hash: 644d25e40d8d3a3637555d79e6b59949f4785aaf0feba05479040a3805643c1b
                      • Instruction Fuzzy Hash: D4018F31201201ABD7119B519DC4FBF7BA9EF8A795F054069F601D71A0C7B59821C7B9
                      Function 00404F72 Relevance: 12.0, APIs: 8, Instructions: 41windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 00404F84
                      • SelectPalette.GDI32(00000000,00000000), ref: 00404F9B
                      • RealizePalette.GDI32(00000000), ref: 00404FA8
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?,004026CF,?), ref: 00404FB3
                      • UpdateWindow.USER32(?), ref: 00404FBA
                      • SelectPalette.GDI32(00000000,?,00000001), ref: 00404FC7
                      • RealizePalette.GDI32(00000000), ref: 00404FCA
                      • ReleaseDC.USER32(?,00000000), ref: 00404FCE
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Palette$RealizeSelect$InvalidateRectReleaseUpdateWindow
                      • String ID:
                      • API String ID: 1074785300-0
                      • Opcode ID: 6a062285dd60ed0394d3ba39adc496261a87830bdb18d4392d78974b43c8a272
                      • Instruction ID: 6b270c0ebecfb6383c9b6ffb39b081bb493130c0fd6688b1027fec6118013a24
                      • Opcode Fuzzy Hash: 6a062285dd60ed0394d3ba39adc496261a87830bdb18d4392d78974b43c8a272
                      • Instruction Fuzzy Hash: 92F06D32101216BFD7116BA1AD48FDF7B6DEF89351F008025F601921A1CAB96821CBAC
                      Function 00402166 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(00000000,PackageStartup), ref: 00402186
                      • GetProcAddress.KERNEL32(UnpackFile,00000008), ref: 004021A1
                      • GetProcAddress.KERNEL32(PackageShutdown,00000008), ref: 004021BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: PackageShutdown$PackageStartup$UnpackFile
                      • API String ID: 190572456-2228215052
                      • Opcode ID: 098053d08f571ec5186ca90d6fa3ba3bf6e1b2885cd0ba258fb94c75c3aafa47
                      • Instruction ID: b5d03044bfbfc1f22c2e95a4c66f75f31572894dd595bccfc62ea92f575f7c6e
                      • Opcode Fuzzy Hash: 098053d08f571ec5186ca90d6fa3ba3bf6e1b2885cd0ba258fb94c75c3aafa47
                      • Instruction Fuzzy Hash: 48F06275A92712BED7124734AE09BD37F985B44750F244033AE84E52E1D3B888818A6C
                      Function 0040926F Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • GetStringTypeW.KERNEL32(00000001,00412320,00000001,00000000,?,00000100,00000000,004090B4,00000001,00000020,00000100,?,00000000), ref: 004092AE
                      • GetStringTypeA.KERNEL32(00000000,00000001,0041231C,00000001,00000000,?,00000100,00000000,004090B4,00000001,00000020,00000100,?,00000000), ref: 004092C8
                      • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,004090B4,00000001,00000020,00000100,?,00000000), ref: 004092FC
                      • MultiByteToWideChar.KERNEL32(004090B4,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,004090B4,00000001,00000020,00000100,?,00000000), ref: 00409334
                      • MultiByteToWideChar.KERNEL32(004090B4,00000001,00000100,00000020,?,00000100,?,00000100,00000000,004090B4,00000001,00000020,00000100,?), ref: 0040938A
                      • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,004090B4,00000001,00000020,00000100,?), ref: 0040939C
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: StringType$ByteCharMultiWide
                      • String ID:
                      • API String ID: 3852931651-0
                      • Opcode ID: 204a9bea405484e2f086f42e5a65d422d9b0fbc8b89fc6272ad071a66e2cfa13
                      • Instruction ID: 0bf2dcfbcb719278ac60c694d5ae25d4f14163ddcf917089fba22b1d25cdcbab
                      • Opcode Fuzzy Hash: 204a9bea405484e2f086f42e5a65d422d9b0fbc8b89fc6272ad071a66e2cfa13
                      • Instruction Fuzzy Hash: D5416A72500209AFCF119F94DC85EEF7B69EB08754F10443AFA11E22E1C3798D609BA9
                      Function 00404ECD Relevance: 9.1, APIs: 6, Instructions: 65memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(00000000,?,00000002), ref: 00404EE1
                      • LoadResource.KERNEL32(00000000,00000000,?,?,00402455,00000084,00000000), ref: 00404EE9
                      • LockResource.KERNEL32(00000000,?,?,00402455,00000084,00000000), ref: 00404EF0
                      • LocalAlloc.KERNEL32(00000000,00000000,?,?,00402455,00000084,00000000), ref: 00404F18
                      • CreatePalette.GDI32(00000000), ref: 00404F5A
                      • LocalFree.KERNEL32(00000000,?,?,00402455,00000084,00000000), ref: 00404F64
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Resource$Local$AllocCreateFindFreeLoadLockPalette
                      • String ID:
                      • API String ID: 3492113042-0
                      • Opcode ID: 5cb24084b62c122173330fedddcc24a655d02aba14295eb491d944463075e558
                      • Instruction ID: 08a20c61676d8d01f3a3103671ed8edc3c03245513e02ca4c1ecaee69e072a29
                      • Opcode Fuzzy Hash: 5cb24084b62c122173330fedddcc24a655d02aba14295eb491d944463075e558
                      • Instruction Fuzzy Hash: FD11E4B6105245ABD7009F64DCC4AAA7FB8EF49344F0980A9EA45EB352C275C944C724
                      Function 00402F63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringA.USER32(?,00000000,00000200), ref: 00402FE4
                      • LoadStringA.USER32(?,00000000,00000032), ref: 00402FF5
                      • lstrcpyA.KERNEL32(00000000,02161CC0), ref: 00403007
                      • MessageBoxA.USER32(00401109,00000000,00000000,?), ref: 0040301E
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: String$Load$MessagePrivateProfilelstrcpywsprintf
                      • String ID: Strings
                      • API String ID: 3605897094-2066174825
                      • Opcode ID: 0c987fb46256fd7ebdcf8f1a5db18d48f74a45f107dfda39ed02b619ecc71eea
                      • Instruction ID: 5636c64313eb84bb2dbf4a83c6b9b5d13a35311ccc205c09d5cf37ad047bc6bf
                      • Opcode Fuzzy Hash: 0c987fb46256fd7ebdcf8f1a5db18d48f74a45f107dfda39ed02b619ecc71eea
                      • Instruction Fuzzy Hash: 7E216032901119BBEB12EB94ED49FDE7BB9EB48304F004072F504A10A0D7B8AB55CB95
                      Function 0040B37C Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • GetStartupInfoA.KERNEL32(?), ref: 0040B3D5
                      • GetFileType.KERNEL32(00000800), ref: 0040B47B
                      • GetStdHandle.KERNEL32(-000000F6), ref: 0040B4D4
                      • GetFileType.KERNEL32(00000000), ref: 0040B4E2
                      • SetHandleCount.KERNEL32 ref: 0040B519
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: FileHandleType$CountInfoStartup
                      • String ID:
                      • API String ID: 1710529072-0
                      • Opcode ID: 748cfc48922be1c8bdd6246c29a174aa551d886f915d603ac95cd22e048162a9
                      • Instruction ID: c6f47179f0c3da11a6831ce38d283d57b99896bb9b4d6a496f4139a431db2e1a
                      • Opcode Fuzzy Hash: 748cfc48922be1c8bdd6246c29a174aa551d886f915d603ac95cd22e048162a9
                      • Instruction Fuzzy Hash: BA5148319043118BD7208F28DC447A63BA4EB11734F16877AE8AAEB3E2D778D945C79D
                      Function 0040293F Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00402946
                      • GetDlgItem.USER32(00000000,00003024), ref: 00402978
                      • EnableWindow.USER32(00000000), ref: 0040297F
                      • PostMessageA.USER32(00000000,00000470,00000000,00000002), ref: 004029D0
                      • PostMessageA.USER32(?,00000111,00000404,00000000), ref: 004029DF
                        • Part of subcall function 0040335E: GetDlgItem.USER32(?,00000404), ref: 00403367
                        • Part of subcall function 0040335E: GetWindowTextA.USER32(00000000,00000080), ref: 0040337D
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ItemMessagePostWindow$EnableParentText
                      • String ID:
                      • API String ID: 2496947184-0
                      • Opcode ID: ee17ccad356f03cd9060a6bb9f25c95675e10411836821a827a87d63032d285a
                      • Instruction ID: 3317df457f42894ac800281a86338bb36874dae7c9554d8ce3c1dcf883241214
                      • Opcode Fuzzy Hash: ee17ccad356f03cd9060a6bb9f25c95675e10411836821a827a87d63032d285a
                      • Instruction Fuzzy Hash: 8D11E9F1344200BAE5218B28DE4EFBF6B689B45B20F148537F600FA1D1C3FD594286AE
                      Function 004032BD Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItemTextA.USER32(?,?,00000104), ref: 004032E5
                      • SHBrowseForFolderA.SHELL32(00000000), ref: 00403301
                      • SHGetPathFromIDListA.SHELL32(00000000), ref: 00403318
                      • SetDlgItemTextA.USER32(?,?), ref: 00403328
                      • SHGetMalloc.SHELL32(00000000), ref: 00403332
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ItemText$BrowseFolderFromListMallocPath
                      • String ID:
                      • API String ID: 2720712886-0
                      • Opcode ID: 3770268be13964587dc2eba6698f1da7d96caf0f3b9072e6c0dc050f25fbd284
                      • Instruction ID: 30104ff496587dbef1a54b128d14ddde72621d011dddc8f1913910500ceca83f
                      • Opcode Fuzzy Hash: 3770268be13964587dc2eba6698f1da7d96caf0f3b9072e6c0dc050f25fbd284
                      • Instruction Fuzzy Hash: 51111C35900509BBCF019F94DC48BDE3BB9EF88355F048025F905EB260DB79D551CBA8
                      Function 00402101 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24stringlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyA.KERNEL32(00000000,00401DCB,0000000A,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402118
                      • lstrcatA.KERNEL32(ext.dll,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402129
                        • Part of subcall function 00401F22: GetTempFileNameA.KERNELBASE(ext,00000000,?,?,0000000A,00000000), ref: 00401F59
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00000000), ref: 00401FA5
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00001001,?,?,00000000), ref: 00401FBB
                        • Part of subcall function 00401F22: LZCopy.LZ32(00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FC4
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FCC
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FD2
                        • Part of subcall function 00401F22: DeleteFileA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FDE
                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0040214F
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseOpen$CopyDeleteLibraryLoadNameTemplstrcatlstrcpy
                      • String ID: ext.dll
                      • API String ID: 2593742186-767477686
                      • Opcode ID: 102395a0ef3bf2a27e7ebbb0a0b1318477262fdb4282f1a997034c3e1939fef8
                      • Instruction ID: 0511a9a375b0bf75d911a994874503fa586754c340de184f5c75b6d620cd6e19
                      • Opcode Fuzzy Hash: 102395a0ef3bf2a27e7ebbb0a0b1318477262fdb4282f1a997034c3e1939fef8
                      • Instruction Fuzzy Hash: DAF0AC71940601FBC7025F60FE497C93B62EB883517108435FB49D51B4D67544A19B0D
                      Function 00405967 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(MPR.DLL,WNetCancelConnectionA,004058A7,?), ref: 00405971
                      • GetProcAddress.KERNEL32(00000000), ref: 00405978
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: MPR.DLL$WNetCancelConnectionA
                      • API String ID: 2574300362-1448443596
                      • Opcode ID: 04a3f7bfeeceeefe79924c6e51e4df3de566f184ec42d113ec58c8cac0cda987
                      • Instruction ID: ebd04dac91bcd11b6d785e46ede3ba146fe15cc4968264df138581cbb61d622c
                      • Opcode Fuzzy Hash: 04a3f7bfeeceeefe79924c6e51e4df3de566f184ec42d113ec58c8cac0cda987
                      • Instruction Fuzzy Hash: 78C012703803017ADD201770AE09BDE7915EBC4B82F504461B600D80E0CBF944D05908
                      Function 0040A00B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(KERNEL32,00407BDC), ref: 0040A010
                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040A020
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: IsProcessorFeaturePresent$KERNEL32
                      • API String ID: 1646373207-3105848591
                      • Opcode ID: 23ee03d164a2a588d691c0b740949b48e3ffe7c16aab90976577f77560df4c7f
                      • Instruction ID: 7abfbcaec486868f47e060a0f3a4369bbdd772eb7d70e318e852e82dea94882b
                      • Opcode Fuzzy Hash: 23ee03d164a2a588d691c0b740949b48e3ffe7c16aab90976577f77560df4c7f
                      • Instruction Fuzzy Hash: DCC0127035030A95D9201B711E0975624289B08B41F1085326515F01C5DAECC470863E
                      Function 0040BAE2 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0040BBBA
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: d5152e8da150efa96cb3c1c29f668c55aeffc889fcfadcebdbd333da8c562125
                      • Instruction ID: 8aeedd6225eb3d7b0269bbb2bdb49a2e20e8054147f556f26f9a3325892b3809
                      • Opcode Fuzzy Hash: d5152e8da150efa96cb3c1c29f668c55aeffc889fcfadcebdbd333da8c562125
                      • Instruction Fuzzy Hash: 5D51C171904208EFDB15CF68C984AEE7BB5FB45340F2085BBE915AB290DB749A40CB9C
                      Function 00405BE5 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00405BF1
                      • GetWindowRect.USER32(?,?), ref: 00405C08
                      • GetWindowRect.USER32(00000000,?), ref: 00405C15
                      • SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000205), ref: 00405C5F
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Window$Rect$Desktop
                      • String ID:
                      • API String ID: 2751908114-0
                      • Opcode ID: be579c2be5d92a21f6cc13d4b1b7105a8d72ee016f3f321b2dcf0f9382174e07
                      • Instruction ID: e313951bff953af3d8fe30c0525e3ea781f02bc2aa326d2df33214f665fb3d53
                      • Opcode Fuzzy Hash: be579c2be5d92a21f6cc13d4b1b7105a8d72ee016f3f321b2dcf0f9382174e07
                      • Instruction Fuzzy Hash: 66110071A0051AAFDF04DFBCCD49BEE7BF9EB08300F088225A915E6194D674EA008B54
                      Function 00409015 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(?,00000000), ref: 00409029
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Info
                      • String ID: $
                      • API String ID: 1807457897-3032137957
                      • Opcode ID: 2f0a41ca3c9df34af058cde9574b55f321e0d696a1c1640be6a3785363b03473
                      • Instruction ID: 0c0f4c8c40988154b9f2929fe6822964c1c7464332a5d81506fd8b921d4c54b1
                      • Opcode Fuzzy Hash: 2f0a41ca3c9df34af058cde9574b55f321e0d696a1c1640be6a3785363b03473
                      • Instruction Fuzzy Hash: F64147312042592EFB119B14DD4DBEB7FA9EB02704F1404F6D589EB1D3C2798D48DBAA
                      Function 00401FEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempFileNameA.KERNEL32(welcome,00000000,00000000,?,0000000A), ref: 00402021
                        • Part of subcall function 00401F22: GetTempFileNameA.KERNELBASE(ext,00000000,?,?,0000000A,00000000), ref: 00401F59
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00000000), ref: 00401FA5
                        • Part of subcall function 00401F22: LZOpenFileA.LZ32(?,?,00001001,?,?,00000000), ref: 00401FBB
                        • Part of subcall function 00401F22: LZCopy.LZ32(00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FC4
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FCC
                        • Part of subcall function 00401F22: LZClose.LZ32(00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FD2
                        • Part of subcall function 00401F22: DeleteFileA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00001001,?,?,00000000), ref: 00401FDE
                        • Part of subcall function 00401756: lstrlenA.KERNEL32(00000100,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104,00000000,00401208,00000000), ref: 0040179B
                        • Part of subcall function 00401756: lstrcpyA.KERNEL32(00000103,00000104), ref: 004017C0
                        • Part of subcall function 00401756: CreateFileA.KERNELBASE(00000100,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,00000104,00000003,00401687,?,00000000,00000100,00000000,00000104), ref: 004017D4
                        • Part of subcall function 00401756: MessageBoxA.USER32(00000000,00000000,00000100,00000000), ref: 004017EC
                      • DeleteFileA.KERNEL32(00000000), ref: 00402088
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: File$CloseDeleteNameOpenTemp$CopyCreateMessagelstrcpylstrlen
                      • String ID: welcome
                      • API String ID: 1679127067-936075699
                      • Opcode ID: 50a9140b8078a7e767a016db360748a746d36c0e2ef15fe0739c750febff1016
                      • Instruction ID: 80dab8198c723850ed83b5fa0af3c04a99dcbdb4855b914c6d82501249935667
                      • Opcode Fuzzy Hash: 50a9140b8078a7e767a016db360748a746d36c0e2ef15fe0739c750febff1016
                      • Instruction Fuzzy Hash: E11108B2C002187BDB216771DD49FCB7BACAB44314F0045B6FB49F61D0E6F89A94CA68
                      Function 00402F62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringA.USER32(?,00000000,00000200), ref: 00402FE4
                      • LoadStringA.USER32(?,00000000,00000032), ref: 00402FF5
                      • lstrcpyA.KERNEL32(00000000,02161CC0), ref: 00403007
                      • MessageBoxA.USER32(00401109,00000000,00000000,?), ref: 0040301E
                        • Part of subcall function 0040144C: wsprintfA.USER32 ref: 00401471
                        • Part of subcall function 0040144C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,004152D8,?,?,00000200), ref: 00401492
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: String$Load$MessagePrivateProfilelstrcpywsprintf
                      • String ID: Strings
                      • API String ID: 3605897094-2066174825
                      • Opcode ID: 21e1d4b6af8889796f1fe4b946612862427db005e6f250470b3990016607b62c
                      • Instruction ID: bc78d5eea818492619182671df068c3f18325816a1f7855000de05041c15797b
                      • Opcode Fuzzy Hash: 21e1d4b6af8889796f1fe4b946612862427db005e6f250470b3990016607b62c
                      • Instruction Fuzzy Hash: D811C132906149BBEB22DBA4ED48FDE7B78AB05304F0040B6F500A10A0C3B85B54CB55
                      Function 0040527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?,?,0040522C,00000000,?,00000000,00405B48,?,?), ref: 0040528C
                      • GlobalLock.KERNEL32(00000000), ref: 0040529A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: Global$AllocLock
                      • String ID: H[@
                      • API String ID: 15508794-2925248613
                      • Opcode ID: 2fd0d6def0de92b2720e944e496b3aa0742dabfad8be71dd96b834a2f149a86a
                      • Instruction ID: 79ca2d11dc5369dafbded99c9dba67f8f70328e6a23978a025dc8162240b2bda
                      • Opcode Fuzzy Hash: 2fd0d6def0de92b2720e944e496b3aa0742dabfad8be71dd96b834a2f149a86a
                      • Instruction Fuzzy Hash: 41E048B2904701AFE7509F65DC05E977BD8EF08310F00C82EF65AD6290D679E490CF15
                      Function 00403276 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(J?@,75BF8400,00403F4A,00000000), ref: 0040327C
                      • IsDBCSLeadByte.KERNEL32(?), ref: 0040328E
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.3849260665.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000009.00000002.3849231914.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849293173.0000000000412000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849317397.0000000000414000.00000004.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000009.00000002.3849339581.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_optojumpnext.jbxd
                      Similarity
                      • API ID: ByteLeadlstrlen
                      • String ID: J?@
                      • API String ID: 814178721-2890840744
                      • Opcode ID: 2f2da0a1450d3be5e7355d36a3b402a9ef11f816c943d1f46ed2f7078aa3c397
                      • Instruction ID: df2669deb1ac0325c21be9757d81bebf51ba2c642f413668a3448095013eaf99
                      • Opcode Fuzzy Hash: 2f2da0a1450d3be5e7355d36a3b402a9ef11f816c943d1f46ed2f7078aa3c397
                      • Instruction Fuzzy Hash: EBD012218487A1AAF7215F74A80C78BBFD81F1A246F08889DD5C5E3291D2B944448769

                      Execution Graph

                      Execution Coverage:4.7%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:25.9%
                      Total number of Nodes:1315
                      Total number of Limit Nodes:114
                      execution_graph 62728 af6aa3 62729 af6aaf __fcloseall 62728->62729 62765 afc0cb GetStartupInfoW 62729->62765 62731 af6ab4 62767 afc3d0 GetProcessHeap 62731->62767 62733 af6b0c 62734 af6b17 62733->62734 63480 af6bf3 68 API calls 3 library calls 62733->63480 62768 af7b4f 62734->62768 62737 af6b1d 62738 af6b28 __RTC_Initialize 62737->62738 63481 af6bf3 68 API calls 3 library calls 62737->63481 62789 afe36f 62738->62789 62741 af6b37 62742 af6b43 GetCommandLineW 62741->62742 63482 af6bf3 68 API calls 3 library calls 62741->63482 62808 afea5f GetEnvironmentStringsW 62742->62808 62745 af6b42 62745->62742 62749 af6b68 62821 afe856 62749->62821 62752 af6b6e 62753 af6b79 62752->62753 63484 af74d4 68 API calls 3 library calls 62752->63484 62835 af750e 62753->62835 62756 af6b81 62757 af6b8c __wwincmdln 62756->62757 63485 af74d4 68 API calls 3 library calls 62756->63485 62844 ae2355 62757->62844 62761 af6baf 63486 af74ff 68 API calls _doexit 62761->63486 62764 af6bb4 __fcloseall 62766 afc0e1 62765->62766 62766->62731 62767->62733 63487 af75b3 32 API calls 2 library calls 62768->63487 62770 af7b54 63488 aff499 InitializeCriticalSectionAndSpinCount 62770->63488 62772 af7b5d 63489 af7bc5 71 API calls 2 library calls 62772->63489 62773 af7b59 62773->62772 63490 afc04d TlsAlloc 62773->63490 62776 af7b62 62776->62737 62777 af7b6f 62777->62772 62778 af7b7a 62777->62778 63491 af77af 62778->63491 62781 af7bbc 63499 af7bc5 71 API calls 2 library calls 62781->63499 62784 af7b9b 62784->62781 62786 af7ba1 62784->62786 62785 af7bc1 62785->62737 63498 af7a9c 68 API calls 4 library calls 62786->63498 62788 af7ba9 GetCurrentThreadId 62788->62737 62790 afe37b __fcloseall 62789->62790 63510 aff36a 62790->63510 62792 afe382 62793 af77af __calloc_crt 68 API calls 62792->62793 62794 afe393 62793->62794 62795 afe3fe GetStartupInfoW 62794->62795 62797 afe39e __fcloseall @_EH4_CallFilterFunc@8 62794->62797 62803 afe53c 62795->62803 62805 afe413 62795->62805 62796 afe600 63517 afe614 LeaveCriticalSection _doexit 62796->63517 62797->62741 62799 afe585 GetStdHandle 62799->62803 62800 af77af __calloc_crt 68 API calls 62800->62805 62801 afe597 GetFileType 62801->62803 62802 afe461 62802->62803 62806 afe493 GetFileType 62802->62806 62807 afe4a1 InitializeCriticalSectionAndSpinCount 62802->62807 62803->62796 62803->62799 62803->62801 62804 afe5c4 InitializeCriticalSectionAndSpinCount 62803->62804 62804->62803 62805->62800 62805->62802 62805->62803 62806->62802 62806->62807 62807->62802 62809 af6b53 62808->62809 62811 afea70 62808->62811 62815 afe61d GetModuleFileNameW 62809->62815 63520 af77f9 68 API calls _malloc 62811->63520 62813 afea96 _memmove 62814 afeaac FreeEnvironmentStringsW 62813->62814 62814->62809 62816 afe651 _wparse_cmdline 62815->62816 62817 af6b5d 62816->62817 62818 afe68b 62816->62818 62817->62749 63483 af74d4 68 API calls 3 library calls 62817->63483 63521 af77f9 68 API calls _malloc 62818->63521 62820 afe691 _wparse_cmdline 62820->62817 62822 afe86f _vscan_fn 62821->62822 62826 afe867 62821->62826 62823 af77af __calloc_crt 68 API calls 62822->62823 62831 afe898 _vscan_fn 62823->62831 62824 afe8ef 63523 af64f1 68 API calls 2 library calls 62824->63523 62826->62752 62827 af77af __calloc_crt 68 API calls 62827->62831 62828 afe914 63524 af64f1 68 API calls 2 library calls 62828->63524 62831->62824 62831->62826 62831->62827 62831->62828 62832 afe92b 62831->62832 63522 af58fe 68 API calls _vscan_fn 62831->63522 63525 af8c28 8 API calls 2 library calls 62832->63525 62834 afe937 62834->62752 62837 af751a __IsNonwritableInCurrentImage 62835->62837 63526 afbf88 62837->63526 62838 af7538 __initterm_e 62841 af7575 __IsNonwritableInCurrentImage 62838->62841 63529 af34bc 62838->63529 62840 af7559 62840->62841 63532 b09616 62840->63532 63537 b310dc 62840->63537 62841->62756 62845 ae2364 __EH_prolog3_GS 62844->62845 63664 ab08a9 62845->63664 62847 ae2384 63670 ab1233 62847->63670 62850 ae23e2 63683 aa2580 62850->63683 62852 ae243b 63686 aaf320 SysStringLen 62852->63686 62855 ab1233 99 API calls 62856 ae2475 62855->62856 62857 ae2496 62856->62857 64319 aa37b0 62856->64319 62859 ae24bd 62857->62859 62860 ab1233 99 API calls 62857->62860 62861 ae24d2 62859->62861 62862 ae24c7 lstrlenW 62859->62862 62860->62859 62863 ae24ef 62861->62863 62864 ae24fa CoInitialize 62861->62864 62862->62861 64326 ae0b02 GetModuleHandleW GetProcAddress 62863->64326 63692 b09315 GetVersionExW 62864->63692 62868 ae2515 63712 ae0b2b 62868->63712 62871 ae252c 62872 aa2580 2 API calls 62871->62872 62873 ae2558 62872->62873 63758 aaf37b 62873->63758 62875 ae2573 62876 aaf320 71 API calls 62875->62876 62877 ae2582 GetModuleFileNameW 62876->62877 63762 aac8e0 62877->63762 62881 ae25be 63780 ada973 62881->63780 62883 ae25db 63784 ae1618 62883->63784 62885 ae25ee _memset 62886 aa2580 2 API calls 62885->62886 62887 ae263c 62886->62887 63918 aa3730 SysStringLen 62887->63918 62890 ab1233 99 API calls 62891 ae2676 62890->62891 62892 aa37b0 81 API calls 62891->62892 62895 ae2697 62891->62895 62892->62895 62893 ae2701 62894 aa25e0 83 API calls 62893->62894 62896 ae273c 62894->62896 62895->62893 62898 ae2703 62895->62898 62899 ae26c1 62895->62899 63924 ab0a27 62896->63924 64330 aa2500 213 API calls 62898->64330 64327 ae2145 81 API calls 2 library calls 62899->64327 62904 ae26cc 62908 aa1580 Mailbox 4 API calls 62904->62908 62905 ae2783 62909 ab1233 99 API calls 62905->62909 62906 ae2708 64331 aa2520 71 API calls Mailbox 62906->64331 62911 ae26db 62908->62911 62912 ae2798 62909->62912 62910 ae2718 62913 aa1580 Mailbox 4 API calls 62910->62913 64328 aa3860 73 API calls Mailbox 62911->64328 62915 ae2928 62912->62915 62916 ae27a0 62912->62916 62913->62893 62918 ae2946 62915->62918 62923 ab1233 99 API calls 62915->62923 62919 ae27b2 62916->62919 62920 ae2822 62916->62920 62917 ae26f4 64329 aa2410 85 API calls 62917->64329 62924 aa2580 2 API calls 62918->62924 62930 ae2aee 62918->62930 62921 aa25e0 83 API calls 62919->62921 64338 ab8878 114 API calls 2 library calls 62920->64338 62925 ae27cb 62921->62925 62923->62918 62927 ae2976 62924->62927 62928 aa25e0 83 API calls 62925->62928 62934 aa3730 70 API calls 62927->62934 62931 ae27e8 62928->62931 62929 ae282e 64339 ab81ac 446 API calls 2 library calls 62929->64339 62932 ae2dda 62930->62932 62941 ae2b27 wsprintfW 62930->62941 62970 ae2be8 _memset 62930->62970 64332 aa23a0 62931->64332 62936 aa2580 2 API calls 62932->62936 62938 ae299b 62934->62938 62940 ae2e02 62936->62940 62937 ae283f 62942 aa1580 Mailbox 4 API calls 62937->62942 62944 ab1233 99 API calls 62938->62944 63945 ae0a61 62940->63945 64346 af1da0 362 API calls 3 library calls 62941->64346 62943 ae284e 62942->62943 64340 ab8d4f 446 API calls 62943->64340 62948 ae29b0 62944->62948 62945 aa1580 Mailbox 4 API calls 62949 ae2813 62945->62949 62954 ae29d1 62948->62954 62959 aa37b0 81 API calls 62948->62959 62955 aa1580 Mailbox 4 API calls 62949->62955 62950 ae2e13 62968 ab1233 99 API calls 62950->62968 62952 ae2d54 _memset 62962 ae2d72 wsprintfW 62952->62962 62953 ae2859 62957 ae28ae 62953->62957 62958 ae285d 62953->62958 62960 ae2adf 62954->62960 62961 ae29df 62954->62961 62955->62920 62967 aa25e0 83 API calls 62957->62967 64341 ab8449 4 API calls 3 library calls 62958->64341 62959->62954 62965 aa1580 Mailbox 4 API calls 62960->62965 62966 ae29f1 62961->62966 62972 ae2a61 62961->62972 62969 af1c83 359 API calls 62962->62969 62963 ae2b76 64347 aacb20 8 API calls 62963->64347 62965->62930 62973 aa25e0 83 API calls 62966->62973 62974 ae28c8 62967->62974 62975 ae2e43 62968->62975 62976 ae2d9e 62969->62976 62970->62932 62970->62952 62989 ae2c5b lstrcpyW lstrlenW 62970->62989 62971 ae2872 62978 aa1580 Mailbox 4 API calls 62971->62978 64344 aa3860 73 API calls Mailbox 62972->64344 62980 ae2a0a 62973->62980 64342 ab9471 258 API calls 2 library calls 62974->64342 62982 ae2e78 62975->62982 64350 ae2295 86 API calls 3 library calls 62975->64350 62983 aa1580 Mailbox 4 API calls 62976->62983 62990 ae2881 62978->62990 62992 aa25e0 83 API calls 62980->62992 62988 ae2fc4 62982->62988 62998 aaf37b 72 API calls 62982->62998 62986 ae2dad 62983->62986 62984 ae28db 64343 ab8449 4 API calls 3 library calls 62984->64343 62996 aa1580 Mailbox 4 API calls 62986->62996 62987 ae2b97 Mailbox 63014 aa1580 Mailbox 4 API calls 62987->63014 64009 ab40fb 62988->64009 62999 ae2c8e 62989->62999 63000 aa1580 Mailbox 4 API calls 62990->63000 62991 ae2a80 64345 ae0f97 518 API calls 2 library calls 62991->64345 62993 ae2a27 62992->62993 63002 aa23a0 355 API calls 62993->63002 62995 ae2e52 64351 aa5230 62995->64351 63005 ae2dbc 62996->63005 63007 ae2e9d 62998->63007 63008 ae2cbd _memset 62999->63008 63019 ae2d4f 62999->63019 63009 ae2890 63000->63009 63011 ae2a43 63002->63011 63003 ae28ec 63012 aa1580 Mailbox 4 API calls 63003->63012 63013 ae0d8e 76 API calls 63005->63013 63016 aaf320 71 API calls 63007->63016 63029 ae2ce6 lstrcpyW 63008->63029 63017 ae0d8e 76 API calls 63009->63017 63010 ae2a8f 63018 aa1580 Mailbox 4 API calls 63010->63018 63020 aa1580 Mailbox 4 API calls 63011->63020 63021 ae28fb 63012->63021 63022 ae2dcb CoUninitialize 63013->63022 63023 ae2bb5 63014->63023 63015 aa1580 Mailbox 4 API calls 63024 ae2fe5 lstrcpyW 63015->63024 63025 ae2eac GetTempPathW 63016->63025 63027 ae289f CoUninitialize 63017->63027 63028 ae2aa3 63018->63028 64349 af5c9d 6 API calls ___report_securityfailure 63019->64349 63031 ae2a52 63020->63031 63032 aa1580 Mailbox 4 API calls 63021->63032 63022->62932 63033 aa1580 Mailbox 4 API calls 63023->63033 63034 ada973 Mailbox 73 API calls 63024->63034 63035 aac8e0 103 API calls 63025->63035 63036 ae4350 63027->63036 63037 aa1580 Mailbox 4 API calls 63028->63037 64348 af0e9a 89 API calls 2 library calls 63029->64348 63039 aa1580 Mailbox 4 API calls 63031->63039 63040 ae290a 63032->63040 63041 ae2bc4 63033->63041 63042 ae301e 63034->63042 63043 ae2ec4 63035->63043 63046 aa1580 Mailbox 4 API calls 63036->63046 63044 ae2ab2 63037->63044 63038 ae2d0e 63045 aa1580 Mailbox 4 API calls 63038->63045 63039->62972 63047 ae0d8e 76 API calls 63040->63047 63048 ae0d8e 76 API calls 63041->63048 64023 ae1b8e 63042->64023 63951 b0ec0c 63043->63951 63051 aa1580 Mailbox 4 API calls 63044->63051 63053 ae2d22 63045->63053 63054 ae435f 63046->63054 63055 ae2919 CoUninitialize 63047->63055 63056 ae2bd3 CoUninitialize 63048->63056 63052 ae2ac1 63051->63052 63059 ae0d8e 76 API calls 63052->63059 63060 aa1580 Mailbox 4 API calls 63053->63060 64310 ab0954 63054->64310 63055->63036 63056->63036 63057 ae3031 63062 ae3040 63057->63062 63063 ae3035 lstrlenW 63057->63063 63058 ae2ec9 63064 ae2ecd 63058->63064 63065 ae2ee3 63058->63065 63067 ae2ad0 CoUninitialize 63059->63067 63068 ae2d31 63060->63068 63072 aac6a3 83 API calls 63062->63072 63075 ae3ee7 63062->63075 63063->63062 63957 b08ae4 63064->63957 63066 aac6a3 83 API calls 63065->63066 63071 ae2f02 63066->63071 63067->63036 63073 ae0d8e 76 API calls 63068->63073 63069 ae436e 64316 af41f8 63069->64316 63077 aac6a3 83 API calls 63071->63077 63078 ae3081 63072->63078 63079 ae2d40 CoUninitialize 63073->63079 64380 af1ac3 117 API calls 2 library calls 63075->64380 63076 ae2ed9 63084 aac950 71 API calls 63076->63084 63082 ae2f23 63077->63082 64029 aaf9b1 63078->64029 63079->63036 64358 b08f25 187 API calls 2 library calls 63082->64358 63088 ae2f58 63084->63088 63085 ae3eec 63092 ae3f3f 63085->63092 63093 ae3f04 63085->63093 63091 ae2f7f 63088->63091 63095 aa1580 Mailbox 4 API calls 63088->63095 63089 ae2f39 63089->63076 63090 aa1580 Mailbox 4 API calls 63094 ae30a4 63090->63094 63096 ae2fa3 63091->63096 63101 aa1580 Mailbox 4 API calls 63091->63101 63099 aa25e0 83 API calls 63092->63099 64381 aa3860 73 API calls Mailbox 63093->64381 63100 aaf9b1 103 API calls 63094->63100 63095->63091 64359 aafab5 78 API calls 2 library calls 63096->64359 63103 ae3f2c 63099->63103 63104 ae30b8 63100->63104 63101->63096 63102 ae2fb5 63105 aa1580 Mailbox 4 API calls 63102->63105 64382 aa3860 73 API calls Mailbox 63103->64382 63106 aac6a3 83 API calls 63104->63106 63105->62988 63108 ae30d2 63106->63108 64053 aaf565 63108->64053 63109 ae3f82 64383 ac19d1 634 API calls 2 library calls 63109->64383 63113 ae3fad 63116 ae3fd3 63113->63116 63118 aa1580 Mailbox 4 API calls 63113->63118 63114 aa1580 Mailbox 4 API calls 63115 ae30f9 63114->63115 63117 ae3115 63115->63117 63127 ae31c8 63115->63127 63119 ae3ff7 63116->63119 63120 aa1580 Mailbox 4 API calls 63116->63120 63122 aa2580 2 API calls 63117->63122 63118->63116 63121 ae418a 63119->63121 63124 aa2580 2 API calls 63119->63124 63120->63119 63123 ab0a27 357 API calls 63121->63123 63125 ae313d 63122->63125 63126 ae41b5 Mailbox 63123->63126 63128 ae4028 63124->63128 63129 aaf37b 72 API calls 63125->63129 63132 ab4799 Mailbox 6 API calls 63126->63132 64098 ab5f47 63127->64098 63134 aa3730 70 API calls 63128->63134 63130 ae3159 63129->63130 63131 aaf320 71 API calls 63130->63131 63135 ae3168 GetModuleFileNameW 63131->63135 63136 ae41dc 63132->63136 63138 ae404d 63134->63138 63139 aac8e0 103 API calls 63135->63139 63140 aa1580 Mailbox 4 API calls 63136->63140 63142 ab1233 99 API calls 63138->63142 63143 ae3182 63139->63143 63144 ae41eb 63140->63144 63141 ab5f47 80 API calls 63145 ae320d CopyFileW 63141->63145 63146 ae4060 63142->63146 63147 aaf565 103 API calls 63143->63147 63148 aa1580 Mailbox 4 API calls 63144->63148 63149 aaf37b 72 API calls 63145->63149 63150 ae407d 63146->63150 63154 aa37b0 81 API calls 63146->63154 63151 ae3198 63147->63151 63152 ae41fa 63148->63152 63153 ae325c 63149->63153 63155 ae4085 63150->63155 63156 ae4170 63150->63156 63157 aac950 71 API calls 63151->63157 63159 aa1580 Mailbox 4 API calls 63152->63159 63160 aaf320 71 API calls 63153->63160 63154->63150 64384 ae2145 81 API calls 2 library calls 63155->64384 64388 ac19c5 1111 API calls 63156->64388 63158 ae31a8 63157->63158 63164 aa1580 Mailbox 4 API calls 63158->63164 63165 ae4209 63159->63165 63166 ae326b 63160->63166 63163 ae4097 63168 aa1580 Mailbox 4 API calls 63163->63168 63169 ae31b7 63164->63169 63170 ae0d8e 76 API calls 63165->63170 64112 aae48c 63166->64112 63167 ae417b 63172 aa1580 Mailbox 4 API calls 63167->63172 63174 ae40a6 63168->63174 63175 aa1580 Mailbox 4 API calls 63169->63175 63176 ae4218 CoUninitialize 63170->63176 63172->63121 64385 ac28ed 859 API calls 2 library calls 63174->64385 63175->63127 63176->63036 63180 ae40b8 63182 ae40c9 63180->63182 64386 ac1d96 477 API calls 3 library calls 63180->64386 64387 aacb20 8 API calls 63182->64387 63189 ae40e9 Mailbox 63193 aa1580 Mailbox 4 API calls 63189->63193 63195 ae4107 Mailbox 63193->63195 63198 ab4799 Mailbox 6 API calls 63195->63198 63200 ae4125 63198->63200 63203 aa1580 Mailbox 4 API calls 63200->63203 63205 ae4134 63203->63205 63207 aa1580 Mailbox 4 API calls 63205->63207 63209 ae4143 63207->63209 63211 aa1580 Mailbox 4 API calls 63209->63211 63213 ae4152 63211->63213 63215 ae0d8e 76 API calls 63213->63215 63217 ae4161 CoUninitialize 63215->63217 63217->63036 63477 af776a 65573 af763b 63477->65573 63479 af7779 63479->62761 63480->62734 63481->62738 63482->62745 63486->62764 63487->62770 63488->62773 63489->62776 63490->62777 63493 af77b6 63491->63493 63494 af77f3 63493->63494 63495 af77d4 Sleep 63493->63495 63500 aff4f0 63493->63500 63494->62781 63497 afc0a9 TlsSetValue 63494->63497 63496 af77eb 63495->63496 63496->63493 63496->63494 63497->62784 63498->62788 63499->62785 63501 aff4fb 63500->63501 63506 aff516 63500->63506 63502 aff507 63501->63502 63501->63506 63508 af5af1 68 API calls __getptd_noexit 63502->63508 63504 aff526 HeapAlloc 63505 aff50c 63504->63505 63504->63506 63505->63493 63506->63504 63506->63505 63509 af9937 DecodePointer 63506->63509 63508->63505 63509->63506 63511 aff38e EnterCriticalSection 63510->63511 63512 aff37b 63510->63512 63511->62792 63518 aff3f2 68 API calls 8 library calls 63512->63518 63514 aff381 63514->63511 63519 af74d4 68 API calls 3 library calls 63514->63519 63517->62797 63518->63514 63520->62813 63521->62820 63522->62831 63523->62826 63524->62826 63525->62834 63527 afbf8b EncodePointer 63526->63527 63527->63527 63528 afbfa5 63527->63528 63528->62838 63542 af33c6 63529->63542 63531 af34c7 63531->62840 63576 b0962f 63532->63576 63535 b09624 63535->62840 63585 aa25e0 63537->63585 63539 b310f5 63540 af34bc __cinit 78 API calls 63539->63540 63541 b310ff 63540->63541 63541->62840 63543 af33d2 __fcloseall 63542->63543 63550 af7629 63543->63550 63549 af33f5 __fcloseall 63549->63531 63551 aff36a __lock 68 API calls 63550->63551 63552 af33d7 63551->63552 63553 af3406 DecodePointer DecodePointer 63552->63553 63554 af33e3 63553->63554 63555 af3433 63553->63555 63566 af3400 63554->63566 63555->63554 63569 af777e 69 API calls _vscan_fn 63555->63569 63557 af3445 63558 af3496 EncodePointer EncodePointer 63557->63558 63559 af3463 63557->63559 63560 af3470 63557->63560 63558->63554 63570 af7842 72 API calls __realloc_crt 63559->63570 63560->63554 63562 af346a 63560->63562 63562->63560 63564 af3484 EncodePointer 63562->63564 63571 af7842 72 API calls __realloc_crt 63562->63571 63564->63558 63565 af347e 63565->63554 63565->63564 63572 af7632 63566->63572 63569->63557 63570->63562 63571->63565 63575 aff4ce LeaveCriticalSection 63572->63575 63574 af3405 63574->63549 63575->63574 63582 b0b033 GetModuleHandleW GetProcAddress 63576->63582 63578 b0961b 63578->63535 63579 b0964b 63578->63579 63580 b0b033 4 API calls 63579->63580 63581 b0965a 63580->63581 63581->63535 63583 b0b054 GetSystemInfo 63582->63583 63584 b0b05c GetNativeSystemInfo 63582->63584 63583->63578 63584->63578 63586 aa261e GetLastError 63585->63586 63587 aa2611 63585->63587 63588 aa2663 63586->63588 63587->63586 63591 aa5d10 63588->63591 63590 aa2689 SetLastError 63590->63539 63592 aa5d66 63591->63592 63597 aa5d1e 63591->63597 63593 aa5dff 63592->63593 63594 aa5d76 63592->63594 63654 af2e39 69 API calls 2 library calls 63593->63654 63602 aa5d88 _memmove 63594->63602 63631 aa6510 63594->63631 63597->63592 63601 aa5d45 63597->63601 63637 aa6150 63601->63637 63602->63590 63616 aa5d60 63616->63590 63632 aa6528 SysAllocStringLen 63631->63632 63636 aa656b _memmove 63632->63636 63634 aa658f SysFreeString 63635 aa6597 63634->63635 63635->63602 63636->63634 63636->63635 63638 aa6169 63637->63638 63639 aa624c 63637->63639 63641 aa61a9 63638->63641 63642 aa6176 63638->63642 63660 af2e67 69 API calls 2 library calls 63639->63660 63643 aa6260 63641->63643 63644 aa61b5 63641->63644 63645 aa6256 63642->63645 63648 aa6182 63642->63648 63662 af2e39 69 API calls 2 library calls 63643->63662 63649 aa6510 Mailbox 2 API calls 63644->63649 63653 aa61c7 _memmove 63644->63653 63661 af2e67 69 API calls 2 library calls 63645->63661 63655 aa6460 63648->63655 63649->63653 63652 aa61a0 63652->63616 63653->63616 63656 aa64fd 63655->63656 63659 aa6475 _memmove 63655->63659 63663 af2e67 69 API calls 2 library calls 63656->63663 63659->63652 63665 ab08b5 __EH_prolog3 63664->63665 64390 ab08e5 63665->64390 63669 ab08d7 ~_Task_impl 63669->62847 63671 ab1242 __EH_prolog3_GS _vscan_fn 63670->63671 63672 ab1385 63671->63672 63675 aac6ed 83 API calls 63671->63675 63676 aa1580 GetLastError SysFreeString SysFreeString SetLastError Mailbox 63671->63676 63677 ab08e5 2 API calls 63671->63677 63679 ab138f SysFreeString 63671->63679 63680 ab1362 SysStringLen 63671->63680 64447 aabaf0 81 API calls 63671->64447 63673 af41f8 Mailbox 6 API calls 63672->63673 63674 ab138c GetCommandLineW CommandLineToArgvW 63673->63674 63674->62850 63675->63671 63676->63671 63677->63671 63679->63672 63680->63679 63682 ab136d SysFreeString 63680->63682 63682->63671 63684 aa259a GetLastError SetLastError 63683->63684 63685 aa258d 63683->63685 63684->62852 63685->63684 63687 aaf34f 63686->63687 63688 aaf337 SysReAllocStringLen 63686->63688 63689 aaf366 63687->63689 64448 aae64e 69 API calls Mailbox 63687->64448 63688->63689 63689->62855 64449 af31f3 63692->64449 63694 ae250b 63694->62868 63695 ae1325 63694->63695 63696 ae1334 _memset __EH_prolog3_GS 63695->63696 63697 ae13e8 InitializeSecurityDescriptor 63696->63697 63698 ae1405 CreateWellKnownSid 63697->63698 63707 ae13fe 63697->63707 63699 ae142b CreateWellKnownSid 63698->63699 63698->63707 63700 ae1448 CreateWellKnownSid 63699->63700 63699->63707 63702 ae1465 CreateWellKnownSid 63700->63702 63700->63707 63701 af41f8 Mailbox 6 API calls 63703 ae1617 63701->63703 63704 ae1486 CreateWellKnownSid 63702->63704 63702->63707 63703->62868 63705 ae14a7 SetEntriesInAclW 63704->63705 63704->63707 63706 ae158b 63705->63706 63705->63707 63706->63707 63708 ae1593 SetSecurityDescriptorOwner 63706->63708 63707->63701 63708->63707 63709 ae15ac SetSecurityDescriptorGroup 63708->63709 63709->63707 63710 ae15c5 SetSecurityDescriptorDacl 63709->63710 63710->63707 63711 ae15df CoInitializeSecurity 63710->63711 63711->63707 63713 ae0b37 __EH_prolog3 63712->63713 64457 ae0ad7 63713->64457 63715 ae0b97 63716 ae0ad7 69 API calls 63715->63716 63717 ae0ba3 63716->63717 63718 ae0ad7 69 API calls 63717->63718 63719 ae0baf 63718->63719 64461 af4cb1 63719->64461 63722 aa2580 2 API calls 63723 ae0be2 63722->63723 63724 aa2580 2 API calls 63723->63724 63725 ae0bf6 63724->63725 63726 aa2580 2 API calls 63725->63726 63727 ae0c0a 63726->63727 63728 aa2580 2 API calls 63727->63728 63729 ae0c1e 63728->63729 63730 aa2580 2 API calls 63729->63730 63731 ae0c32 63730->63731 63732 aa2580 2 API calls 63731->63732 63733 ae0c46 63732->63733 63734 aa2580 2 API calls 63733->63734 63735 ae0c5a 63734->63735 63736 aa2580 2 API calls 63735->63736 63737 ae0c6e 63736->63737 63738 aa2580 2 API calls 63737->63738 63739 ae0c82 63738->63739 63740 aa2580 2 API calls 63739->63740 63741 ae0c96 63740->63741 63742 aa2580 2 API calls 63741->63742 63743 ae0caa 63742->63743 63744 aa2580 2 API calls 63743->63744 63745 ae0cbe 63744->63745 63746 aa2580 2 API calls 63745->63746 63747 ae0cd2 63746->63747 63748 aa2580 2 API calls 63747->63748 63749 ae0ce6 63748->63749 63750 aa2580 2 API calls 63749->63750 63751 ae0cfa 63750->63751 63752 aa2580 2 API calls 63751->63752 63753 ae0d0e 63752->63753 63754 aa2580 2 API calls 63753->63754 63755 ae0d22 63754->63755 64469 b18120 63755->64469 63757 ae0d2c ~_Task_impl 63757->62871 63759 aaf387 __EH_prolog3 63758->63759 64483 aac816 63759->64483 63761 aaf397 ~_Task_impl 63761->62875 64488 af4249 63762->64488 63764 aac8ec GetLastError 63765 aac8fc 63764->63765 63766 aac911 63764->63766 63767 aa37b0 81 API calls 63765->63767 63768 aac943 SetLastError 63766->63768 63769 aac58d 101 API calls 63766->63769 63767->63766 63770 af41f8 Mailbox 6 API calls 63768->63770 63771 aac928 63769->63771 63772 aac94f 63770->63772 63773 aac950 71 API calls 63771->63773 63776 aac6a3 63772->63776 63774 aac937 63773->63774 63775 aa1580 Mailbox 4 API calls 63774->63775 63775->63768 63777 aac6af __EH_prolog3 63776->63777 64489 aac449 63777->64489 63779 aac6df ~_Task_impl 63779->62881 63781 ada97f __EH_prolog3 63780->63781 64498 aac346 63781->64498 63783 ada9a1 ~_Task_impl 63783->62883 63785 ae1627 __EH_prolog3_GS 63784->63785 63786 aac950 71 API calls 63785->63786 63787 ae163f 63786->63787 63788 aaf565 103 API calls 63787->63788 63789 ae164f 63788->63789 63790 aac950 71 API calls 63789->63790 63791 ae1661 63790->63791 63792 aa1580 Mailbox 4 API calls 63791->63792 63793 ae166d 63792->63793 63794 ab08a9 74 API calls 63793->63794 63795 ae1684 63794->63795 63796 aa2580 2 API calls 63795->63796 63797 ae16a8 63796->63797 63798 aaf320 71 API calls 63797->63798 63799 ae16ca 63798->63799 63800 ab1233 99 API calls 63799->63800 63801 ae16de 63800->63801 63802 ae16ff 63801->63802 63804 aa37b0 81 API calls 63801->63804 63803 ae1717 63802->63803 64513 abf3a7 70 API calls 63802->64513 64508 aaf066 63803->64508 63804->63802 63807 ae1711 64514 af6784 81 API calls __wcstoi64 63807->64514 63808 ae1726 63810 aaf320 71 API calls 63808->63810 63811 ae1744 63810->63811 63812 ab1233 99 API calls 63811->63812 63813 ae1758 63812->63813 63814 ae1779 63813->63814 63815 aa37b0 81 API calls 63813->63815 63816 ae17bc 63814->63816 63817 aaf320 71 API calls 63814->63817 63815->63814 63818 aaf066 70 API calls 63816->63818 63819 ae178b 63817->63819 63820 ae17cd 63818->63820 63821 aa37b0 81 API calls 63819->63821 63823 aaf320 71 API calls 63820->63823 63822 ae17a5 63821->63822 63824 ab40fb 78 API calls 63822->63824 63825 ae17eb 63823->63825 63826 ae17b0 63824->63826 63827 ab1233 99 API calls 63825->63827 63828 aa1580 Mailbox 4 API calls 63826->63828 63829 ae17ff 63827->63829 63828->63816 63830 ae1820 63829->63830 63831 aa37b0 81 API calls 63829->63831 63832 ae1862 63830->63832 63834 aaf320 71 API calls 63830->63834 63831->63830 63833 ab1233 99 API calls 63832->63833 63835 ae187d 63833->63835 63836 ae1832 63834->63836 63838 ab1233 99 API calls 63835->63838 63837 aa37b0 81 API calls 63836->63837 63839 ae184b 63837->63839 63840 ae189a 63838->63840 63841 ab40fb 78 API calls 63839->63841 63843 ab1233 99 API calls 63840->63843 63842 ae1856 63841->63842 63844 aa1580 Mailbox 4 API calls 63842->63844 63845 ae18b0 63843->63845 63844->63832 63846 ab1233 99 API calls 63845->63846 63847 ae18ce 63846->63847 63848 ab1233 99 API calls 63847->63848 63849 ae18ec 63848->63849 63850 aaf066 70 API calls 63849->63850 63851 ae1901 63850->63851 63852 aaf320 71 API calls 63851->63852 63853 ae191f 63852->63853 63854 ab1233 99 API calls 63853->63854 63855 ae1933 63854->63855 63856 ae1954 63855->63856 63858 aa37b0 81 API calls 63855->63858 63857 ae19b7 63856->63857 63859 aac346 Mailbox 73 API calls 63856->63859 63860 aaf066 70 API calls 63857->63860 63858->63856 63861 ae1979 63859->63861 63862 ae19c2 63860->63862 63863 ae19ab 63861->63863 63864 aac950 71 API calls 63861->63864 63866 aaf320 71 API calls 63862->63866 63865 aa1580 Mailbox 4 API calls 63863->63865 63867 ae198e 63864->63867 63865->63857 63868 ae19e0 63866->63868 63869 ab40fb 78 API calls 63867->63869 63870 ab1233 99 API calls 63868->63870 63871 ae199c 63869->63871 63872 ae19f4 63870->63872 63873 aa1580 Mailbox 4 API calls 63871->63873 63874 ae1a15 63872->63874 63875 aa37b0 81 API calls 63872->63875 63873->63863 63876 ae1a7c 63874->63876 63878 aac346 Mailbox 73 API calls 63874->63878 63875->63874 63877 aaf066 70 API calls 63876->63877 63879 ae1a87 63877->63879 63880 ae1a3a 63878->63880 63884 aaf320 71 API calls 63879->63884 63881 ae1a6c 63880->63881 63883 aac950 71 API calls 63880->63883 63882 aa1580 Mailbox 4 API calls 63881->63882 63882->63876 63885 ae1a4f 63883->63885 63887 ae1aa5 63884->63887 63886 ab40fb 78 API calls 63885->63886 63888 ae1a5d 63886->63888 63889 ab1233 99 API calls 63887->63889 63890 aa1580 Mailbox 4 API calls 63888->63890 63891 ae1ab9 63889->63891 63890->63881 63892 ae1ada 63891->63892 63894 aa37b0 81 API calls 63891->63894 63893 ae1b17 63892->63893 63895 ab40fb 78 API calls 63892->63895 63896 ae1b24 63893->63896 64515 ae1f32 95 API calls 63893->64515 63894->63892 63897 ae1af3 63895->63897 63902 ae1b53 63896->63902 64516 ae1f5d 95 API calls 2 library calls 63896->64516 63900 aa1580 Mailbox 4 API calls 63897->63900 63903 ae1b02 63900->63903 63901 ae1b32 63901->63902 64517 ae1cc6 98 API calls 3 library calls 63901->64517 63905 aa1580 Mailbox 4 API calls 63902->63905 63903->63893 63908 aac950 71 API calls 63903->63908 63907 ae1b5f 63905->63907 63906 ae1b44 63909 aa1580 Mailbox 4 API calls 63906->63909 63910 ab0954 2 API calls 63907->63910 63908->63893 63909->63902 63911 ae1b6e 63910->63911 63912 aa1580 Mailbox 4 API calls 63911->63912 63913 ae1b7a 63912->63913 63914 aa1580 Mailbox 4 API calls 63913->63914 63915 ae1b86 63914->63915 63916 af41f8 Mailbox 6 API calls 63915->63916 63917 ae1b8b 63916->63917 63917->62885 63920 aa3748 SysReAllocStringLen 63918->63920 63922 aa3760 63918->63922 63921 aa378a 63920->63921 63921->62890 63922->63921 64518 af5001 68 API calls 3 library calls 63922->64518 63925 ab0a33 __EH_prolog3_GS 63924->63925 63926 ab0acc 63925->63926 63927 aa2580 2 API calls 63925->63927 63928 af41f8 Mailbox 6 API calls 63926->63928 63929 ab0a68 63927->63929 63930 ab0ad1 63928->63930 64519 aa33b0 63929->64519 63940 aa1580 GetLastError 63930->63940 63933 aa25e0 83 API calls 63935 ab0aa0 63933->63935 63934 ab0ac0 63936 aa1580 Mailbox 4 API calls 63934->63936 63937 aa23a0 355 API calls 63935->63937 63936->63926 63938 ab0ab4 63937->63938 63939 aa1580 Mailbox 4 API calls 63938->63939 63939->63934 63941 af4184 63940->63941 63942 aa159f SysFreeString 63941->63942 63943 aa15b8 SetLastError 63942->63943 63944 aa15b3 SysFreeString 63942->63944 63943->62905 63944->63943 63946 ae0a6d __EH_prolog3 63945->63946 63947 ae0a86 GetLastError 63946->63947 64567 ab4694 63947->64567 63950 ae0ad4 ~_Task_impl 63950->62950 64570 ade449 GetVersion 63951->64570 63953 b0ec11 63954 b0ec15 63953->63954 64571 b0ec24 GetCurrentThread OpenThreadToken 63953->64571 63954->63058 64597 af4249 63957->64597 63959 b08af3 AllocateAndInitializeSid 63960 b08b71 AllocateAndInitializeSid 63959->63960 63961 b08b56 63959->63961 63960->63961 63962 b08b91 AllocateAndInitializeSid 63960->63962 63963 aac6a3 83 API calls 63961->63963 63962->63961 63964 b08bb1 _memset 63962->63964 63973 b08b6b 63963->63973 63965 b08bc0 SetEntriesInAclW 63964->63965 63965->63961 63966 b08c62 63965->63966 63967 af2e95 69 API calls 63966->63967 63968 b08c69 63967->63968 63968->63961 63969 b08c87 InitializeSecurityDescriptor 63968->63969 63970 b08c92 63969->63970 63971 b08cac SetSecurityDescriptorDacl 63969->63971 63974 aac6a3 83 API calls 63970->63974 63971->63970 63972 b08cc6 63971->63972 63975 aa2580 2 API calls 63972->63975 63978 af41f8 Mailbox 6 API calls 63973->63978 63974->63973 63976 b08cf4 63975->63976 63977 aaf37b 72 API calls 63976->63977 63979 b08d0d 63977->63979 63980 b08e2d 63978->63980 63981 aaf320 71 API calls 63979->63981 63980->63076 63982 b08d1c GetTempPathW 63981->63982 63983 aac8e0 103 API calls 63982->63983 63984 b08d34 63983->63984 64598 b089ba UuidCreate 63984->64598 63991 ab0ad2 72 API calls 63992 b08d79 63991->63992 63993 aa1580 Mailbox 4 API calls 63992->63993 63994 b08d81 63993->63994 63995 aa1580 Mailbox 4 API calls 63994->63995 63996 b08d8c 63995->63996 63997 aa1580 Mailbox 4 API calls 63996->63997 63998 b08d9b 63997->63998 63999 aac346 Mailbox 73 API calls 63998->63999 64000 b08dbf 63999->64000 64631 b06ee3 64000->64631 64002 b08dc4 64003 b08de2 64002->64003 64004 b08dcb 64002->64004 64642 aaf517 78 API calls 2 library calls 64003->64642 64005 aac6a3 83 API calls 64004->64005 64007 b08de0 64005->64007 64008 aa1580 Mailbox 4 API calls 64007->64008 64008->63973 64010 ab4107 __EH_prolog3_GS 64009->64010 64677 ab415d 64010->64677 64012 ab411f 64013 aa1580 Mailbox 4 API calls 64012->64013 64014 ab412a 64013->64014 64683 aafb03 64014->64683 64016 ab4137 64017 aa1580 Mailbox 4 API calls 64016->64017 64018 ab4142 64017->64018 64019 ada973 Mailbox 73 API calls 64018->64019 64020 ab414c 64019->64020 64021 af41f8 Mailbox 6 API calls 64020->64021 64022 ab415a 64021->64022 64022->63015 64024 ae1b9a __EH_prolog3 64023->64024 64025 aac950 71 API calls 64024->64025 64026 ae1bad 64025->64026 64027 aa1580 Mailbox 4 API calls 64026->64027 64028 ae1bb9 ~_Task_impl 64027->64028 64028->63057 64030 aaf9c0 __EH_prolog3_GS 64029->64030 64031 ada973 Mailbox 73 API calls 64030->64031 64033 aaf9df 64031->64033 64032 aafa38 64034 aaf565 103 API calls 64032->64034 64033->64032 64693 aaf879 103 API calls 2 library calls 64033->64693 64036 aafa47 64034->64036 64689 aaff23 64036->64689 64037 aaf9f3 64039 aaff23 73 API calls 64037->64039 64041 aafa11 64039->64041 64040 aafa59 64042 aa1580 Mailbox 4 API calls 64040->64042 64043 aac950 71 API calls 64041->64043 64045 aafa6a 64042->64045 64044 aafa1e 64043->64044 64046 aa1580 Mailbox 4 API calls 64044->64046 64047 aa1580 Mailbox 4 API calls 64045->64047 64048 aafa2d 64046->64048 64049 aafa76 64047->64049 64050 aa1580 Mailbox 4 API calls 64048->64050 64051 af41f8 Mailbox 6 API calls 64049->64051 64050->64032 64052 aafa7d 64051->64052 64052->63090 64054 aaf574 __EH_prolog3_GS 64053->64054 64055 ada973 Mailbox 73 API calls 64054->64055 64056 aaf596 64055->64056 64708 aafea1 64056->64708 64058 aaf5b8 64059 aaf5c6 64058->64059 64713 aaf76a 94 API calls 2 library calls 64058->64713 64061 aac6a3 83 API calls 64059->64061 64062 aaf608 64061->64062 64063 aaf629 64062->64063 64064 aa1580 Mailbox 4 API calls 64062->64064 64065 aaf665 64063->64065 64067 aaf638 64063->64067 64064->64063 64066 aac950 71 API calls 64065->64066 64071 aaf663 64066->64071 64068 aaff23 73 API calls 64067->64068 64070 aaf64a 64068->64070 64069 aaf69a 64072 aaf727 64069->64072 64075 aac449 83 API calls 64069->64075 64073 aac950 71 API calls 64070->64073 64071->64069 64714 aafab5 78 API calls 2 library calls 64071->64714 64076 ada973 Mailbox 73 API calls 64072->64076 64077 aaf657 64073->64077 64079 aaf6ba 64075->64079 64080 aaf738 64076->64080 64081 aa1580 Mailbox 4 API calls 64077->64081 64078 aaf68e 64082 aa1580 Mailbox 4 API calls 64078->64082 64715 aaf76a 94 API calls 2 library calls 64079->64715 64084 aa1580 Mailbox 4 API calls 64080->64084 64081->64071 64082->64069 64085 aaf750 64084->64085 64086 aa1580 Mailbox 4 API calls 64085->64086 64087 aaf75c 64086->64087 64089 af41f8 Mailbox 6 API calls 64087->64089 64088 aaf6cf 64716 aaf1f4 64088->64716 64091 aaf767 64089->64091 64091->63114 64092 aaf6f7 64093 aaf70c 64092->64093 64721 aafb53 72 API calls 64092->64721 64095 aa1580 Mailbox 4 API calls 64093->64095 64096 aaf71b 64095->64096 64097 aa1580 Mailbox 4 API calls 64096->64097 64097->64072 64099 ab5f53 __EH_prolog3_GS 64098->64099 64100 ada973 Mailbox 73 API calls 64099->64100 64101 ab5f6d 64100->64101 64102 ada973 Mailbox 73 API calls 64101->64102 64103 ab5f81 64102->64103 64726 ab6ef9 64103->64726 64106 ada973 Mailbox 73 API calls 64107 ab5f9c 64106->64107 64108 aa1580 Mailbox 4 API calls 64107->64108 64109 ab5fab 64108->64109 64110 af41f8 Mailbox 6 API calls 64109->64110 64111 ab5fb2 64110->64111 64111->63141 64113 aae499 __flswbuf 64112->64113 64748 af1199 64113->64748 64117 aae4d4 64765 aae402 64117->64765 64311 ab0960 __EH_prolog3 64310->64311 64312 ab0977 64311->64312 65543 aab831 SysFreeString 64311->65543 64313 ab0986 SysFreeString 64312->64313 64315 ab0997 ~_Task_impl 64313->64315 64315->63069 64317 af31f3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 64316->64317 64318 ae4375 64317->64318 64318->62761 64318->63477 64320 aa37c9 64319->64320 64322 aa37dc 64319->64322 64321 aa5d10 81 API calls 64320->64321 64323 aa37d5 64321->64323 64322->64322 64324 aa5d10 81 API calls 64322->64324 64323->62857 64325 aa37fc 64324->64325 64325->62857 64326->62864 64327->62904 64328->62917 64329->62893 64330->62906 64331->62910 64333 aa23ac 64332->64333 64336 aa23ba 64332->64336 64333->64336 65544 aa15e0 64333->65544 64334 aa23f9 64334->62945 64336->64334 65549 aa1c20 354 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 64336->65549 64338->62929 64339->62937 64340->62953 64341->62971 64342->62984 64343->63003 64344->62991 64345->63010 64346->62963 64347->62987 64348->63038 64349->62952 64350->62995 64352 aa523f 64351->64352 64353 aa524d 64351->64353 64354 aa5d10 81 API calls 64352->64354 64356 aa5d10 81 API calls 64353->64356 64355 aa5248 64354->64355 64355->62982 64357 aa526c 64356->64357 64357->62982 64358->63089 64359->63102 64380->63085 64381->63103 64382->63109 64383->63113 64384->63163 64385->63180 64386->63182 64387->63189 64388->63167 64391 ab08fb SysAllocString 64390->64391 64392 ab08c2 64390->64392 64391->64392 64393 ab090a 64391->64393 64396 ab1478 64392->64396 64404 ab0caf RaiseException __CxxThrowException@8 64393->64404 64397 ab1489 64396->64397 64402 ab155c 64396->64402 64397->64402 64405 af2e95 64397->64405 64399 ab14bc 64400 af2e95 69 API calls 64399->64400 64401 ab14fb _memset 64400->64401 64401->64402 64413 ab0b42 73 API calls 64401->64413 64402->63669 64407 af4cb1 64405->64407 64408 af4cd3 64407->64408 64410 af4cd5 std::exception::exception 64407->64410 64414 af6529 64407->64414 64431 af9937 DecodePointer 64407->64431 64408->64399 64432 af4189 RaiseException 64410->64432 64412 af4cff 64413->64401 64415 af65a4 64414->64415 64421 af6535 64414->64421 64441 af9937 DecodePointer 64415->64441 64417 af65aa 64442 af5af1 68 API calls __getptd_noexit 64417->64442 64418 af6540 64418->64421 64433 af7205 68 API calls 2 library calls 64418->64433 64434 af7262 68 API calls 8 library calls 64418->64434 64435 af74be 64418->64435 64421->64418 64422 af6568 RtlAllocateHeap 64421->64422 64425 af6590 64421->64425 64429 af658e 64421->64429 64438 af9937 DecodePointer 64421->64438 64422->64421 64423 af659c 64422->64423 64423->64407 64439 af5af1 68 API calls __getptd_noexit 64425->64439 64440 af5af1 68 API calls __getptd_noexit 64429->64440 64431->64407 64432->64412 64433->64418 64434->64418 64443 af748c GetModuleHandleExW 64435->64443 64438->64421 64439->64429 64440->64423 64441->64417 64442->64423 64444 af74bc ExitProcess 64443->64444 64445 af74a5 GetProcAddress 64443->64445 64445->64444 64446 af74b7 64445->64446 64446->64444 64447->63671 64448->63689 64450 af31fd IsProcessorFeaturePresent 64449->64450 64451 af31fb 64449->64451 64453 af5bb8 64450->64453 64451->63694 64456 af5b67 5 API calls ___raise_securityfailure 64453->64456 64455 af5c9b 64455->63694 64456->64455 64458 ae0ae3 __EH_prolog3 64457->64458 64474 ae1bc4 64458->64474 64460 ae0af4 ~_Task_impl 64460->63715 64463 af4cb9 64461->64463 64462 af6529 _malloc 68 API calls 64462->64463 64463->64462 64464 ae0bbd 64463->64464 64466 af4cd5 std::exception::exception 64463->64466 64481 af9937 DecodePointer 64463->64481 64464->63722 64482 af4189 RaiseException 64466->64482 64468 af4cff 64470 b18130 64469->64470 64471 b1812b 64469->64471 64472 af4cb1 Mailbox 69 API calls 64470->64472 64471->63757 64473 b18137 64472->64473 64473->63757 64475 ae1bd0 __EH_prolog3_catch 64474->64475 64476 af4cb1 Mailbox 69 API calls 64475->64476 64477 ae1bd7 64476->64477 64479 ae1be4 ~_Task_impl 64477->64479 64480 af2e08 69 API calls 3 library calls 64477->64480 64479->64460 64480->64479 64481->64463 64482->64468 64484 aac83b 64483->64484 64485 aac831 64483->64485 64484->63761 64487 aafe73 72 API calls 64485->64487 64487->64484 64488->63764 64490 aac455 __EH_prolog3 64489->64490 64491 aac46d GetLastError 64490->64491 64495 aac78d 64491->64495 64494 aac4c4 ~_Task_impl 64494->63779 64496 aa5230 81 API calls 64495->64496 64497 aac498 SetLastError 64496->64497 64497->64494 64499 aac352 __EH_prolog3 64498->64499 64500 aac36a GetLastError 64499->64500 64501 aac384 64500->64501 64505 aac73a 64501->64505 64504 aac3c0 ~_Task_impl 64504->63783 64506 aa6150 Mailbox 71 API calls 64505->64506 64507 aac394 SetLastError 64506->64507 64507->64504 64509 aaf07f 64508->64509 64510 aaf072 SysFreeString 64508->64510 64511 aa6460 Mailbox 69 API calls 64509->64511 64510->64509 64512 aaf08d 64511->64512 64512->63808 64513->63807 64514->63803 64515->63896 64516->63901 64517->63906 64518->63921 64530 af535d 64519->64530 64522 aa2910 71 API calls 64523 aa33f6 64522->64523 64524 aa3730 70 API calls 64523->64524 64525 aa3408 64524->64525 64533 af5342 64525->64533 64528 aa34f0 119 API calls 64529 aa3428 64528->64529 64529->63933 64529->63934 64536 af5377 64530->64536 64532 aa33e4 64532->64522 64545 af52cb 64533->64545 64535 aa3416 64535->64528 64537 af53a8 64536->64537 64538 af5393 64536->64538 64537->64532 64543 af5af1 68 API calls __getptd_noexit 64538->64543 64540 af5398 64544 af8c18 9 API calls _vscan_fn 64540->64544 64542 af53a3 64542->64532 64543->64540 64544->64542 64546 af52e9 64545->64546 64547 af52d4 64545->64547 64549 af532c 64546->64549 64552 af52f7 64546->64552 64561 af5af1 68 API calls __getptd_noexit 64547->64561 64565 af5af1 68 API calls __getptd_noexit 64549->64565 64551 af52d9 64562 af8c18 9 API calls _vscan_fn 64551->64562 64563 af51d2 99 API calls 2 library calls 64552->64563 64554 af5324 64566 af8c18 9 API calls _vscan_fn 64554->64566 64556 af530e 64559 af533c 64556->64559 64564 af5af1 68 API calls __getptd_noexit 64556->64564 64557 af52e4 64557->64535 64559->64535 64561->64551 64562->64557 64563->64556 64564->64554 64565->64554 64566->64559 64568 af2e95 69 API calls 64567->64568 64569 ab46a4 SetLastError 64568->64569 64569->63950 64570->63953 64572 b0ec9a GetTokenInformation 64571->64572 64573 b0ec5f GetLastError 64571->64573 64576 b0ecc1 GetLastError 64572->64576 64577 b0ecb2 64572->64577 64574 b0ec68 GetCurrentProcess OpenProcessToken GetLastError 64573->64574 64575 b0ec7d 64573->64575 64574->64575 64575->64572 64578 b0ec82 64575->64578 64576->64577 64580 b0ecc8 64576->64580 64596 b0ed7e CloseHandle 64577->64596 64595 b0ed7e CloseHandle 64578->64595 64581 af4cb1 Mailbox 69 API calls 64580->64581 64583 b0ecd0 GetTokenInformation 64581->64583 64584 b0ece6 64583->64584 64585 b0ece9 AllocateAndInitializeSid 64583->64585 64594 b0ed7e CloseHandle 64584->64594 64585->64584 64592 b0ed14 64585->64592 64586 b0ec8c 64587 af31f3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 64586->64587 64589 b0ec21 64587->64589 64588 b0ed4e FreeSid 64588->64584 64589->63058 64591 b0ed20 EqualSid 64591->64592 64593 b0ed37 64591->64593 64592->64588 64592->64591 64592->64593 64593->64588 64594->64586 64595->64586 64596->64586 64597->63959 64643 b08810 64598->64643 64601 af31f3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 64602 b08a02 64601->64602 64603 ab019d 64602->64603 64604 ab01a9 __EH_prolog3_GS 64603->64604 64605 aac6a3 83 API calls 64604->64605 64606 ab01c8 64605->64606 64607 ab0ad2 72 API calls 64606->64607 64608 ab01d9 64607->64608 64609 ada973 Mailbox 73 API calls 64608->64609 64610 ab01e5 64609->64610 64611 aa1580 Mailbox 4 API calls 64610->64611 64612 ab01f4 64611->64612 64613 af41f8 Mailbox 6 API calls 64612->64613 64614 ab01fb 64613->64614 64615 ab5e3d 64614->64615 64616 ab5e49 __EH_prolog3_GS 64615->64616 64617 ada973 Mailbox 73 API calls 64616->64617 64618 ab5e66 64617->64618 64665 ab6d88 64618->64665 64622 ab5e7c 64623 ada973 Mailbox 73 API calls 64622->64623 64624 ab5e8c 64623->64624 64625 aa1580 Mailbox 4 API calls 64624->64625 64626 ab5e9a 64625->64626 64627 aa1580 Mailbox 4 API calls 64626->64627 64628 ab5ea6 64627->64628 64629 af41f8 Mailbox 6 API calls 64628->64629 64630 ab5ead 64629->64630 64630->63991 64675 af4216 64631->64675 64633 b06eef GetModuleHandleW GetProcAddress 64634 b06f14 CreateDirectoryW 64633->64634 64635 b06f25 GetModuleHandleW GetProcAddress 64633->64635 64636 b06f4a 64634->64636 64635->64636 64637 b06f3e 64635->64637 64639 aa1580 Mailbox 4 API calls 64636->64639 64676 abf3a7 70 API calls 64637->64676 64641 b06f54 ~_Task_impl 64639->64641 64640 b06f46 64640->64636 64641->64002 64642->64007 64644 b0881c __EH_prolog3_GS 64643->64644 64645 aa2580 2 API calls 64644->64645 64646 b0884b UuidToStringW 64645->64646 64647 aa5230 81 API calls 64646->64647 64648 b0887a 64647->64648 64657 b0add8 64648->64657 64650 b08882 RpcStringFreeW 64651 aac346 Mailbox 73 API calls 64650->64651 64652 b0889e 64651->64652 64653 aa1580 Mailbox 4 API calls 64652->64653 64654 b088a6 64653->64654 64655 af41f8 Mailbox 6 API calls 64654->64655 64656 b088ad 64655->64656 64656->64601 64658 b0ade4 __EH_prolog3 64657->64658 64659 aaf37b 72 API calls 64658->64659 64660 b0adf0 64659->64660 64661 aaf320 71 API calls 64660->64661 64662 b0adff CharUpperW 64661->64662 64663 aac8e0 103 API calls 64662->64663 64664 b0ae13 ~_Task_impl 64663->64664 64664->64650 64666 ab6d99 _vscan_fn 64665->64666 64667 ab6daf 72 API calls 64666->64667 64668 ab5e72 64667->64668 64669 ab5eae 64668->64669 64670 ab5eba __EH_prolog3 64669->64670 64671 ab5ed2 GetLastError 64670->64671 64672 aac73a Mailbox 71 API calls 64671->64672 64673 ab5ef0 SetLastError 64672->64673 64674 ab5f1c ~_Task_impl 64673->64674 64674->64622 64675->64633 64676->64640 64678 ab4169 __EH_prolog3 64677->64678 64679 ab4189 64678->64679 64680 aaf066 70 API calls 64678->64680 64681 ada973 Mailbox 73 API calls 64679->64681 64680->64679 64682 ab4193 ~_Task_impl 64681->64682 64682->64012 64684 aafb0f __EH_prolog3 64683->64684 64685 aafb37 64684->64685 64686 aaf066 70 API calls 64684->64686 64687 ada973 Mailbox 73 API calls 64685->64687 64686->64685 64688 aafb41 ~_Task_impl 64687->64688 64688->64016 64690 aaff2f __EH_prolog3 64689->64690 64694 aac548 64690->64694 64692 aaff48 ~_Task_impl 64692->64040 64693->64037 64695 aac554 __EH_prolog3 64694->64695 64698 aac3c3 64695->64698 64697 aac57f ~_Task_impl 64697->64692 64699 aac3cf __EH_prolog3 64698->64699 64700 aac3e7 GetLastError 64699->64700 64701 aac401 64700->64701 64705 aac762 64701->64705 64704 aac446 ~_Task_impl 64704->64697 64706 aa6150 Mailbox 71 API calls 64705->64706 64707 aac41a SetLastError 64706->64707 64707->64704 64709 aafeb2 64708->64709 64711 aafebb 64708->64711 64709->64058 64711->64709 64722 aaefce 80 API calls 64711->64722 64723 af4e56 80 API calls 2 library calls 64711->64723 64713->64059 64714->64078 64715->64088 64718 aaf204 64716->64718 64720 aaf209 64718->64720 64724 af4e56 80 API calls 2 library calls 64718->64724 64725 aaf288 80 API calls 64718->64725 64720->64092 64721->64093 64722->64711 64723->64711 64724->64718 64725->64718 64727 ab6f05 __EH_prolog3_GS 64726->64727 64728 ab6f18 64727->64728 64734 ab6f23 64727->64734 64746 ab6f21 64727->64746 64731 aac950 71 API calls 64728->64731 64729 aa1580 Mailbox 4 API calls 64730 ab6f6c 64729->64730 64732 af41f8 Mailbox 6 API calls 64730->64732 64731->64746 64733 ab5f90 64732->64733 64733->64106 64735 ab6f74 64734->64735 64736 ab6f44 64734->64736 64737 ab6f78 64735->64737 64738 ab6f55 64735->64738 64736->64738 64747 aae97c 72 API calls Mailbox 64736->64747 64739 aaff23 73 API calls 64737->64739 64741 ab0ad2 72 API calls 64738->64741 64742 ab6f88 64739->64742 64741->64746 64743 ab0ad2 72 API calls 64742->64743 64744 ab6f94 64743->64744 64745 aa1580 Mailbox 4 API calls 64744->64745 64745->64746 64746->64729 64747->64738 64749 af1226 64748->64749 64750 af11c6 64748->64750 64752 af31f3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 64749->64752 64750->64749 64751 af11cd lstrcpyW 64750->64751 64753 af11ed _wcsrchr 64751->64753 64754 aae4be 64752->64754 64755 af1207 lstrcpyW lstrcpyW 64753->64755 64756 af11f5 CharNextW 64753->64756 64758 af0e43 lstrlenW 64754->64758 64755->64749 64756->64755 64757 af1202 64756->64757 64757->64755 64759 af0e59 64758->64759 64760 af0e77 lstrcpyW 64758->64760 64759->64760 64762 af0e65 lstrcpynW 64759->64762 64761 af0e82 64760->64761 64768 af131b 64761->64768 64762->64761 64777 aae387 64765->64777 64769 af132c CharNextW 64768->64769 64770 af1338 CharPrevW 64768->64770 64769->64769 64769->64770 64771 af134a 64770->64771 64772 af0e88 lstrcatW 64770->64772 64776 af2341 CharNextW CharNextW CharNextW CharNextW 64771->64776 64772->64117 64774 af1350 64774->64772 64775 af1354 CharNextW 64774->64775 64775->64772 64776->64774 64778 aae393 __EH_prolog3_GS 64777->64778 64795 ab8075 64778->64795 64780 aae3aa 64799 aaebe2 64780->64799 64796 ab8081 __EH_prolog3 64795->64796 64802 ab8149 64796->64802 64798 ab808b ~_Task_impl 64798->64780 64800 aaebfa 64799->64800 64813 aaec09 64800->64813 64803 ab8155 __EH_prolog3 64802->64803 64806 ab9c78 64803->64806 64805 ab8166 ~_Task_impl 64805->64798 64807 ab9c84 __EH_prolog3_catch 64806->64807 64808 af4cb1 Mailbox 69 API calls 64807->64808 64809 ab9c8b 64808->64809 64811 ab9c98 ~_Task_impl 64809->64811 64812 af2e08 69 API calls 3 library calls 64809->64812 64811->64805 64812->64811 64814 aaec19 64813->64814 64815 aaec3b 64814->64815 64816 aaec1d 64814->64816 64824 aae796 64815->64824 64820 aaeb4f 64816->64820 64819 aaec39 Mailbox 64821 aaebd7 64820->64821 64831 af2e67 69 API calls 2 library calls 64821->64831 64825 aae7f3 64824->64825 64826 aae7a5 64824->64826 64833 af2e39 69 API calls 2 library calls 64825->64833 64830 aae7b3 Mailbox 64826->64830 64832 aae53e 69 API calls 3 library calls 64826->64832 64830->64819 64832->64830 65543->64312 65550 aa1410 65544->65550 65547 aa161b RegQueryValueExW 65548 aa1647 65547->65548 65548->64336 65549->64334 65551 aa142a 65550->65551 65552 aa1477 RegOpenKeyExW 65550->65552 65553 aa146a 65551->65553 65554 aa142f GetModuleHandleW 65551->65554 65557 aa1470 65552->65557 65553->65552 65553->65557 65555 aa1445 GetProcAddress 65554->65555 65556 aa143e 65554->65556 65555->65556 65555->65557 65556->65557 65557->65547 65557->65548 65574 af7647 __fcloseall 65573->65574 65575 aff36a __lock 61 API calls 65574->65575 65576 af764e 65575->65576 65577 af7707 _doexit 65576->65577 65578 af767c DecodePointer 65576->65578 65593 af7755 65577->65593 65578->65577 65580 af7693 DecodePointer 65578->65580 65586 af76a3 65580->65586 65582 af7764 __fcloseall 65582->63479 65584 af76b0 EncodePointer 65584->65586 65585 af774c 65587 af74be __mtinitlocknum 3 API calls 65585->65587 65586->65577 65586->65584 65588 af76c0 DecodePointer EncodePointer 65586->65588 65589 af7755 65587->65589 65591 af76d2 DecodePointer DecodePointer 65588->65591 65590 af7762 65589->65590 65598 aff4ce LeaveCriticalSection 65589->65598 65590->63479 65591->65586 65594 af775b 65593->65594 65595 af7735 65593->65595 65599 aff4ce LeaveCriticalSection 65594->65599 65595->65582 65597 aff4ce LeaveCriticalSection 65595->65597 65597->65585 65598->65590 65599->65595

                      Executed Functions

                      Function 00AE2355 Relevance: 120.9, APIs: 35, Strings: 33, Instructions: 1927stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE235F
                        • Part of subcall function 00AB08A9: __EH_prolog3.LIBCMT ref: 00AB08B0
                        • Part of subcall function 00AB1233: __EH_prolog3_GS.LIBCMT ref: 00AB123D
                        • Part of subcall function 00AB1233: SysStringLen.OLEAUT32(?), ref: 00AB1363
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB1372
                      • GetCommandLineW.KERNEL32(?,runfromtemp,00000000,00000001,00000001,?,00000FD4), ref: 00AE23AF
                      • CommandLineToArgvW.SHELL32(00000000), ref: 00AE23B6
                      • lstrlenW.KERNEL32(00000000,runprerequisites,00000000,00000000,00000000,?), ref: 00AE24C8
                      • CoInitialize.OLE32(00000000), ref: 00AE24FC
                      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00AE258B
                      • _memset.LIBCMT ref: 00AE2605
                      • CoUninitialize.OLE32(00000000,Running after reboot,?,00000001,Setup.cpp,?,00000001,reboot,00000000,00000000,00000000,?,?,00000000), ref: 00AE28A3
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AB9471: __EH_prolog3_GS.LIBCMT ref: 00AB947B
                        • Part of subcall function 00AB9471: GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00AB948D
                        • Part of subcall function 00AB8449: __EH_prolog3.LIBCMT ref: 00AB8450
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AE0D8E: __EH_prolog3.LIBCMT ref: 00AE0D95
                      • CoUninitialize.OLE32(00000000,00000000,00000000,?,?,00000000), ref: 00AE291D
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLastString$FreeH_prolog3H_prolog3_$CommandLineUninitialize$AddressArgvFileInitializeModuleNameProc_memsetlstrlen
                      • String ID: /IS_temp$ /debuglog$ /eprq$%s %s$%s /q"%s" /tempdisk1folder"%s" %s$%s%s$%s\%.04ld.mst$%s\%s.ini$0$>$C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}$ISSetup.dll$ISSetup.dll$InstallShield setup.exe (Unicode) started, cmdline: %s$Languages$Relaunching setup from temp$Running after reboot$Running as remove major upgrade$Setup returning %d$Setup.cpp$Skin$Startup$Supported$clone_wait$debuglog$eprq$k$reboot$removeasmajorupgrade$runfromtemp$runprerequisites$setup.isn$tempdisk1folder
                      • API String ID: 4130838925-1622165804
                      • Opcode ID: 5eeeec4e4fcbfcb502a08f202f3e25447ad66817fdc828cd04a1802f3af8f4a8
                      • Instruction ID: 1c44d38dec30466607723839fdb9d8c3eb651a3f270bae8c880304f72b0b041c
                      • Opcode Fuzzy Hash: 5eeeec4e4fcbfcb502a08f202f3e25447ad66817fdc828cd04a1802f3af8f4a8
                      • Instruction Fuzzy Hash: 1E138C71801299EEDB21EB64CD45BEEBBB8AF16300F1440E9E049671D2DB745F88DFA1
                      Function 00B08AE4 Relevance: 13.7, APIs: 9, Instructions: 238memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B08AEE
                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,00AE2ED9,?), ref: 00B08B50
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B08B8B
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000221,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B08BAB
                      • _memset.LIBCMT ref: 00B08BBB
                      • SetEntriesInAclW.ADVAPI32 ref: 00B08C54
                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00B08C88
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Initialize$Allocate$DescriptorEntriesH_prolog3H_prolog3_Security_memset
                      • String ID:
                      • API String ID: 2208176779-0
                      • Opcode ID: e07e98374c22b141b25b9d67506b0eb758063b054e7a6c2621754e47a3e7ff4d
                      • Instruction ID: 506396dc5161520e5b0291cab660fd8062b47537f61366f02f21f59926dd39fb
                      • Opcode Fuzzy Hash: e07e98374c22b141b25b9d67506b0eb758063b054e7a6c2621754e47a3e7ff4d
                      • Instruction Fuzzy Hash: 96912EB1900259AADB24DF94CD85BEEBBF8FF19700F5041E9E209B7181EB705B849F61
                      Function 00B0B033 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 16libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1227 b0b033-b0b052 GetModuleHandleW GetProcAddress 1228 b0b054-b0b05b GetSystemInfo 1227->1228 1229 b0b05c-b0b05f GetNativeSystemInfo 1227->1229
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00B0963E,?), ref: 00B0B040
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0B047
                      • GetSystemInfo.KERNEL32(00B0963E,?,00B0963E,?), ref: 00B0B054
                      • GetNativeSystemInfo.KERNELBASE(00B0963E,?,00B0963E,?), ref: 00B0B05C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoSystem$AddressHandleModuleNativeProc
                      • String ID: GetNativeSystemInfo$kernel32
                      • API String ID: 3433367815-3846845290
                      • Opcode ID: ac9dc4fb99b792c795fa2b7afddd25f7f3c865429d7294027b843d0dcce2e82f
                      • Instruction ID: 2e5cf9e04ede070443b3ed8afa4423725bd8a99722ff82fd8c14541656638232
                      • Opcode Fuzzy Hash: ac9dc4fb99b792c795fa2b7afddd25f7f3c865429d7294027b843d0dcce2e82f
                      • Instruction Fuzzy Hash: 53D0C931140F08AB9B202BF5BC0EE2E3BACEA44A557A40490FA0992460EFB291106A61
                      Function 00AE1325 Relevance: 27.2, APIs: 18, Instructions: 224COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE132F
                      • _memset.LIBCMT ref: 00AE135E
                      • _memset.LIBCMT ref: 00AE137B
                      • _memset.LIBCMT ref: 00AE1395
                      • _memset.LIBCMT ref: 00AE13AF
                      • _memset.LIBCMT ref: 00AE13C9
                      • _memset.LIBCMT ref: 00AE13E3
                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00AE13F4
                      • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00AE1425
                      • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00AE1442
                      • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00AE145F
                      • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00AE147C
                      • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00AE149D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memset$CreateKnownWell$DescriptorH_prolog3_InitializeSecurity
                      • String ID:
                      • API String ID: 4043395516-0
                      • Opcode ID: 2cd3b2af4e712d75998254c1da5fab94d8fc53c650576395775d5841ee7cc163
                      • Instruction ID: 720d73b257ebc9a2e6c3c65afecfda92064d64dc9060ad9a5f00f64dd8f5bdee
                      • Opcode Fuzzy Hash: 2cd3b2af4e712d75998254c1da5fab94d8fc53c650576395775d5841ee7cc163
                      • Instruction Fuzzy Hash: 619198B1D4122DAEDB60DF95CD84BEEBBBCFB08740F5041AAE509E6241DB349B858F50
                      Function 00B0EC24 Relevance: 18.1, APIs: 12, Instructions: 138threadmemoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 821 b0ec24-b0ec5d GetCurrentThread OpenThreadToken 822 b0ec9a-b0ecb0 GetTokenInformation 821->822 823 b0ec5f-b0ec66 GetLastError 821->823 826 b0ecc1-b0ecc6 GetLastError 822->826 827 b0ecb2-b0ecbc call b0ed7e 822->827 824 b0ec68-b0ec7b GetCurrentProcess OpenProcessToken GetLastError 823->824 825 b0ec7d-b0ec80 823->825 824->825 828 b0ec82 825->828 829 b0ec93-b0ec95 825->829 826->827 831 b0ecc8-b0ece4 call af4cb1 GetTokenInformation 826->831 837 b0ed6e-b0ed6f 827->837 832 b0ec84-b0ec8e call b0ed7e 828->832 829->822 833 b0ec97-b0ec98 829->833 839 b0ece6-b0ece7 831->839 840 b0ece9-b0ed12 AllocateAndInitializeSid 831->840 841 b0ed70-b0ed7d call af31f3 832->841 833->832 837->841 843 b0ed5a-b0ed5d call b0ed7e 839->843 840->839 844 b0ed14-b0ed1b 840->844 851 b0ed62-b0ed6c call af2f86 843->851 846 b0ed1d 844->846 847 b0ed4e-b0ed57 FreeSid 844->847 850 b0ed20-b0ed2d EqualSid 846->850 847->843 852 b0ed39-b0ed3d 850->852 853 b0ed2f-b0ed35 850->853 851->837 856 b0ed4a 852->856 857 b0ed3f-b0ed48 852->857 853->850 855 b0ed37 853->855 855->847 856->847 857->847 857->856
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 00B0EC48
                      • OpenThreadToken.ADVAPI32(00000000), ref: 00B0EC4F
                      • GetLastError.KERNEL32 ref: 00B0EC5F
                      • GetCurrentProcess.KERNEL32(00000008,?), ref: 00B0EC6E
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00B0EC75
                      • GetLastError.KERNEL32 ref: 00B0EC7B
                      • GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 00B0ECAC
                      • GetLastError.KERNEL32 ref: 00B0ECC1
                      • GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 00B0ECE0
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B0ED0A
                      • EqualSid.ADVAPI32(00000004,?), ref: 00B0ED25
                      • FreeSid.ADVAPI32(?), ref: 00B0ED51
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
                      • String ID:
                      • API String ID: 884311744-0
                      • Opcode ID: 17ebcf76fb3e93eeeb45cefae9f9d91ff9da3882ed1e5c1e4c9855becfa87293
                      • Instruction ID: 19afb2c18df7b7c9ba77e50ee9c663242ca562e05bfc28ce15444967654e0b94
                      • Opcode Fuzzy Hash: 17ebcf76fb3e93eeeb45cefae9f9d91ff9da3882ed1e5c1e4c9855becfa87293
                      • Instruction Fuzzy Hash: 0041717190060DBFEF219BA4DD85ABEBFF8FF04304F2448A9F561A60D0DA71D9449B60
                      Function 00AB8DB6 Relevance: 18.1, APIs: 12, Instructions: 104memoryfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 859 ab8db6-ab8dda GetFileSize 860 ab8ebc 859->860 861 ab8de0-ab8de4 859->861 864 ab8ebe-ab8ecf call af31f3 860->864 862 ab8e6a-ab8e81 GetProcessHeap HeapAlloc 861->862 863 ab8dea-ab8e01 GetProcessHeap HeapAlloc 861->863 862->860 865 ab8e83-ab8e99 ReadFile 862->865 863->860 866 ab8e07-ab8e1e ReadFile 863->866 868 ab8e9b-ab8ea5 865->868 869 ab8eac 865->869 870 ab8ead-ab8eb6 GetProcessHeap HeapFree 866->870 871 ab8e24-ab8e33 call af4780 866->871 873 ab8e4d-ab8e68 call aaebe2 GetProcessHeap HeapFree 868->873 874 ab8ea7-ab8eaa 868->874 869->870 870->860 878 ab8e39-ab8e48 call af5090 call aacae8 871->878 879 ab8e35-ab8e37 871->879 873->864 874->873 878->873 879->873
                      APIs
                      • GetFileSize.KERNEL32(00B6B748,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150,00AB2E4C), ref: 00AB8DCF
                      • GetProcessHeap.KERNEL32(00000008,00000001,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8DF0
                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8DF7
                      • ReadFile.KERNEL32(00B6B748,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF), ref: 00AB8E15
                      • _strlen.LIBCMT ref: 00AB8E24
                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E59
                      • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E60
                      • GetProcessHeap.KERNEL32(00000008,00000003,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E70
                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E77
                      • ReadFile.KERNELBASE(00B6B748,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF), ref: 00AB8E91
                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8EAF
                      • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8EB6
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Heap$Process$File$AllocFreeRead$Size_strlen
                      • String ID:
                      • API String ID: 3537955524-0
                      • Opcode ID: 3e3bc8aa6dac2ddd50f3f254ab9a8a308399f0bfa827d56ce7966fd902b01e54
                      • Instruction ID: 9c6ce5f357b105134147630b4440cb0b26fced45e5937621efa26d263767d3db
                      • Opcode Fuzzy Hash: 3e3bc8aa6dac2ddd50f3f254ab9a8a308399f0bfa827d56ce7966fd902b01e54
                      • Instruction Fuzzy Hash: F8316931600614BBDB209BA9DC49FEF7BACEF4AB51F604518B606D7192DF74D904CB60
                      Function 00B06EE3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 40libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B06EEA
                      • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,00B0773D), ref: 00B06F07
                      • GetProcAddress.KERNEL32(00000000), ref: 00B06F0A
                      • CreateDirectoryW.KERNELBASE(?,?), ref: 00B06F21
                      • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00B06F2F
                      • GetProcAddress.KERNEL32(00000000), ref: 00B06F32
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc$CreateDirectoryH_prolog3
                      • String ID: CreateDirectoryA$CreateDirectoryW$kernel32.dll
                      • API String ID: 662308948-2917578371
                      • Opcode ID: 1d7d224d7dcf82a6b18111bb32189f8a2665aec7e9b019ec6d802c22d27a23d8
                      • Instruction ID: 6e10df0277c9241360987753413041545406fb67ae42cec973bf27554b1475c4
                      • Opcode Fuzzy Hash: 1d7d224d7dcf82a6b18111bb32189f8a2665aec7e9b019ec6d802c22d27a23d8
                      • Instruction Fuzzy Hash: 1EF0C23564060AABCB20EFB4CC85AAE3BE8FF58740F9041A8B506A7191DF70CA00CB94
                      Function 00AEFCB1 Relevance: 15.1, APIs: 10, Instructions: 141fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 898 aefcb1-aefcf2 call af4216 CreateFileW 901 aefd0a-aefd1e CreateFileMappingW 898->901 902 aefcf4-aefd04 call aa34d0 898->902 904 aefe2c-aefe32 GetLastError 901->904 905 aefd24-aefd51 call aa34d0 GetSystemInfo MapViewOfFile 901->905 902->901 902->904 906 aefe34-aefe5f call af0029 call aa34d0 * 2 call af41e4 904->906 905->904 911 aefd57-aefd6a call af0029 905->911 917 aefdf2 911->917 918 aefd70-aefd83 IsBadReadPtr 911->918 920 aefdf5-aefdfa 917->920 922 aefdeb-aefdf0 918->922 923 aefd85-aefd8b 918->923 924 aefdfc-aefe00 920->924 925 aefe02-aefe07 920->925 922->906 923->922 927 aefd8d-aefd96 923->927 924->925 929 aefe0f-aefe14 925->929 930 aefe09-aefe0d 925->930 927->920 931 aefd98-aefdb5 UnmapViewOfFile MapViewOfFile 927->931 932 aefe1f-aefe24 929->932 933 aefe16-aefe1d 929->933 930->929 934 aefdb7-aefdc1 call af0029 931->934 935 aefdc4-aefdcc 931->935 936 aefe28-aefe2a 932->936 937 aefe26 932->937 933->932 934->935 935->922 939 aefdce-aefde1 IsBadReadPtr 935->939 936->906 937->936 939->922 941 aefde3-aefde9 939->941 941->920 941->922
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AEFCB8
                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000003C,00AEF90D,?,?,00000044,00AF03A3,00000008,00000010,00AEEFCC), ref: 00AEFCE8
                      • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00AEFD11
                      • GetSystemInfo.KERNELBASE(000000FF), ref: 00AEFD33
                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?), ref: 00AEFD47
                      • IsBadReadPtr.KERNEL32(?,000000F8), ref: 00AEFD7B
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00AEFD99
                      • MapViewOfFile.KERNEL32(00000008,00000004,00000000,00000000,?), ref: 00AEFDAB
                      • GetLastError.KERNEL32 ref: 00AEFE2C
                      • IsBadReadPtr.KERNEL32(?,000000F8), ref: 00AEFDD9
                        • Part of subcall function 00AA34D0: CloseHandle.KERNELBASE(?,00000000,00B0A2D6,?,0000006C,00B0AE91,00B09960,?,?), ref: 00AA34E3
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$View$CreateRead$CloseErrorH_prolog3HandleInfoLastMappingSystemUnmap
                      • String ID:
                      • API String ID: 2562861213-0
                      • Opcode ID: d90c5a28ba90c759e02fe243cf98713a1d4407a6bd051dee6d1fdc17261a0b98
                      • Instruction ID: ccf6b1e3f7af9ee5861e14408ed2de153d35b9b1fc8e863ebf4816725578e862
                      • Opcode Fuzzy Hash: d90c5a28ba90c759e02fe243cf98713a1d4407a6bd051dee6d1fdc17261a0b98
                      • Instruction Fuzzy Hash: 7B515071A006599FDB21DFA9DD85BAEBBB4FF14705F140069F611AB2D1DBB09E00CB90
                      Function 00AA5D10 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 323COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 942 aa5d10-aa5d1c 943 aa5d1e-aa5d24 942->943 944 aa5d66-aa5d70 942->944 945 aa5d2a 943->945 946 aa5d26-aa5d28 943->946 947 aa5dff-aa5e65 call af2e39 944->947 948 aa5d76-aa5d7b 944->948 951 aa5d2c-aa5d2e 945->951 946->951 969 aa5e6b-aa5e71 947->969 970 aa5f00-aa5f03 947->970 949 aa5d7d-aa5d83 call aa6510 948->949 950 aa5d96-aa5d98 948->950 958 aa5d88-aa5d8a 949->958 956 aa5d9a-aa5da0 950->956 957 aa5d8c-aa5d90 950->957 951->944 954 aa5d30-aa5d33 951->954 961 aa5d39 954->961 962 aa5d35-aa5d37 954->962 964 aa5db2-aa5dbd 956->964 965 aa5da2-aa5daf 956->965 959 aa5d92-aa5d94 957->959 960 aa5dc0 957->960 958->957 966 aa5df6-aa5dfc 958->966 967 aa5dc2-aa5dc4 959->967 960->967 968 aa5d3b-aa5d43 961->968 962->968 975 aa5dc6-aa5dd1 call af34e0 967->975 976 aa5dd4-aa5ddb 967->976 968->944 974 aa5d45-aa5d48 968->974 969->970 973 aa5e77-aa5e7a 969->973 971 aa5f21-aa5f27 970->971 972 aa5f05-aa5f0a 970->972 978 aa5f2d-aa5fe3 call af2e95 call af4c48 GetLastError call aa5d10 SetLastError 971->978 979 aa6006-aa60a0 GetLastError call aa5d10 SetLastError 971->979 977 aa5f10-aa5f19 972->977 980 aa5e8e-aa5ee0 MultiByteToWideChar call af2e95 MultiByteToWideChar 973->980 981 aa5e7c-aa5e7e 973->981 982 aa5d4a-aa5d4c 974->982 983 aa5d4e 974->983 975->976 985 aa5dee-aa5df2 976->985 986 aa5ddd-aa5deb 976->986 977->977 987 aa5f1b-aa5f1f 977->987 1016 aa5fef-aa6001 call aa1580 call af2f86 978->1016 1017 aa5fe5-aa5fea call aa6150 978->1017 999 aa60ac-aa60b0 call aa1580 979->999 1000 aa60a2-aa60a7 call aa6150 979->1000 1003 aa5ee2-aa5eeb call aa5d10 980->1003 1004 aa5ef0-aa5efb call af2f86 980->1004 990 aa5e81-aa5e86 981->990 991 aa5d50-aa5d63 call aa6150 982->991 983->991 985->966 987->971 990->990 996 aa5e88-aa5e8a 990->996 996->980 1011 aa60b5 999->1011 1000->999 1003->1004 1013 aa60b7-aa60d4 call af31f3 1004->1013 1011->1013 1016->1011 1017->1016
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: string too long
                      • API String ID: 4104443479-2556327735
                      • Opcode ID: d126911594865da84d48b008a385d4909d1226f7b176bcaba442b87175a25de0
                      • Instruction ID: 8dfb1a675d84c3fe0660103e3a9e0afbde852de7f0e6879ccd1c0d48361b5bf6
                      • Opcode Fuzzy Hash: d126911594865da84d48b008a385d4909d1226f7b176bcaba442b87175a25de0
                      • Instruction Fuzzy Hash: 3AB19F71608B009BC720DF68D884B6BBBE9FF86314F140A2DF59597391DB71E904CB96
                      Function 00AF1C83 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1C8D
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      • _memset.LIBCMT ref: 00AF1CB2
                      • _memset.LIBCMT ref: 00AF1CC3
                      • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,?,?), ref: 00AF1D49
                      • WaitForInputIdle.USER32(?,000003E8), ref: 00AF1D84
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast_memset$CreateH_prolog3_IdleInputProcessWait
                      • String ID: Attempting to launch (no wait): %s$Launch result %d$utils.cpp
                      • API String ID: 3383204261-2306871107
                      • Opcode ID: d53afa30221668e0697405539a4bd869bfd72dc8fcf4082fed0b63290c2ad69e
                      • Instruction ID: e14152cb504954aa7c58e7d02d538e7ea56799cfd84770b601c01df2fca192eb
                      • Opcode Fuzzy Hash: d53afa30221668e0697405539a4bd869bfd72dc8fcf4082fed0b63290c2ad69e
                      • Instruction Fuzzy Hash: 43315EB2D5021CAFDB04EBE4CD46AEEBBBCEF15300F14456EF216A7191DA705A05CB60
                      Function 00AF0334 Relevance: 13.7, APIs: 9, Instructions: 154filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF033E
                      • _memset.LIBCMT ref: 00AF0371
                      • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00AF038B
                        • Part of subcall function 00AEEF3C: __EH_prolog3_GS.LIBCMT ref: 00AEEF43
                        • Part of subcall function 00AEEF3C: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00AEEFF0
                        • Part of subcall function 00AEEF3C: GetLastError.KERNEL32 ref: 00AEEFFE
                      • _memset.LIBCMT ref: 00AF03B8
                        • Part of subcall function 00AF1105: __EH_prolog3_GS.LIBCMT ref: 00AF110C
                      • _memset.LIBCMT ref: 00AF0403
                      • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 00AF0417
                      • GetTempFileNameW.KERNELBASE(?,00B3E664,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF0431
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00AB3F25: __EH_prolog3.LIBCMT ref: 00AB3F2C
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • lstrcpyW.KERNEL32(?,00B6B748,?,?,?,?,?), ref: 00AF04B2
                      • DeleteFileW.KERNELBASE(00000000,?,?,00B45168,?,?,00000000,00000000), ref: 00AF056E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$ErrorH_prolog3_Last_memset$FreeH_prolog3NameStringTemp$CreateDeleteModulePathlstrcpy
                      • String ID:
                      • API String ID: 1036951016-0
                      • Opcode ID: e0ea1ea2c6d436d0bb8d8bd2fdb18c6632fa8f952eb0328a7ebcde5a0b896a05
                      • Instruction ID: 022b492c4b303f3bb30c623a4d47e942c6c48d14344869a2ab0af0a2b4ab989c
                      • Opcode Fuzzy Hash: e0ea1ea2c6d436d0bb8d8bd2fdb18c6632fa8f952eb0328a7ebcde5a0b896a05
                      • Instruction Fuzzy Hash: DB511B7284111CAECB60EBA4CD85EEE77BCAB58300F0041E5F609A3191EB749B958FA1
                      Function 00AEF6E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1178 aef6e0-aef702 call af4216 1181 aef708-aef733 VirtualQuery call aef959 1178->1181 1182 aef822-aef835 call af0029 call af41e4 1178->1182 1188 aef735-aef738 1181->1188 1189 aef753-aef764 call aef959 1181->1189 1188->1189 1191 aef73a-aef751 1188->1191 1195 aef77d-aef791 1189->1195 1196 aef766-aef777 call aef959 1189->1196 1193 aef7b5-aef7bc 1191->1193 1197 aef7be-aef7c2 1193->1197 1198 aef807-aef809 1193->1198 1195->1182 1200 aef797-aef7a2 1195->1200 1196->1182 1196->1195 1197->1198 1201 aef7c4-aef7f4 GetSystemInfo MapViewOfFile 1197->1201 1198->1182 1202 aef80b 1198->1202 1200->1182 1204 aef7a4-aef7b2 1200->1204 1201->1182 1205 aef7f6-aef804 call af0029 1201->1205 1206 aef80e-aef816 1202->1206 1204->1193 1205->1198 1208 aef81a-aef820 1206->1208 1209 aef818 1206->1209 1208->1182 1208->1206 1209->1208
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AEF6E7
                      • VirtualQuery.KERNEL32(?,00AEF8BC,0000001C,0000004C,00AEF8BC,00000008,?,00AF03A3,8DF633FF,?,?,?,00AEF929,00AF03A3,?,00000008), ref: 00AEF713
                        • Part of subcall function 00AEF959: CompareStringA.KERNELBASE(00000400,00000001,?,00000008,00000008,000000FF,C252E8FF,00000000,00AF03A3,?,00AEF72F,.debug,00AF03A3,?,00AEF929,00AF03A3), ref: 00AEF981
                      • GetSystemInfo.KERNELBASE(?,?,00AEF929,00AF03A3,?), ref: 00AEF7C8
                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,?,00AEF929,?,?,00AEF929,00AF03A3,?), ref: 00AEF7EA
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CompareFileH_prolog3InfoQueryStringSystemViewVirtual
                      • String ID: .debug$.rdata$.text
                      • API String ID: 3690134103-733372908
                      • Opcode ID: 432c854f84e71234e45805ef42a621701ae32d324e3aa5882cf27a64e07ab887
                      • Instruction ID: 5e2a07b9f3e78a2d58938de3b0d4b5231d2550cb3b4841de6a4f4dd3d69a5783
                      • Opcode Fuzzy Hash: 432c854f84e71234e45805ef42a621701ae32d324e3aa5882cf27a64e07ab887
                      • Instruction Fuzzy Hash: 52419672A0064ADFEB18DF95D885AAE77B5FF84310F24452AF91497391DB70ED10CB90
                      Function 00AA1410 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67registrylibraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1211 aa1410-aa1428 1212 aa142a-aa142d 1211->1212 1213 aa1477-aa1484 RegOpenKeyExW 1211->1213 1215 aa146a-aa146e 1212->1215 1216 aa142f-aa143c GetModuleHandleW 1212->1216 1214 aa148a-aa148c 1213->1214 1218 aa148e-aa1494 1214->1218 1219 aa14b5-aa14bb 1214->1219 1215->1213 1217 aa1470-aa1475 1215->1217 1220 aa143e-aa1443 1216->1220 1221 aa1445-aa1453 GetProcAddress 1216->1221 1217->1214 1222 aa1496-aa149f 1218->1222 1223 aa14a5-aa14b3 1218->1223 1220->1214 1221->1217 1224 aa1455-aa1468 1221->1224 1222->1223 1223->1219 1224->1214
                      APIs
                      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00AA144B
                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000), ref: 00AA1484
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressCloseHandleModuleOpenProc
                      • String ID: Advapi32.dll$RegOpenKeyTransactedW$`{Al
                      • API String ID: 823179699-2347259009
                      • Opcode ID: a181306ea4c7fa6395b3aff581773eb401b0410e3f6e4f20a2039e0c248cb389
                      • Instruction ID: baf6a6e015844e00d588dfe42c69ebfcfc9e7fcd974e7f0015e6b0e9fadc80c3
                      • Opcode Fuzzy Hash: a181306ea4c7fa6395b3aff581773eb401b0410e3f6e4f20a2039e0c248cb389
                      • Instruction Fuzzy Hash: 701160B5600705FFEB208F59CC48B6AB7ECEB5A741F248069F9459B290DBB1DD40DB60
                      Function 00AEEF3C Relevance: 9.2, APIs: 6, Instructions: 177fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1230 aeef3c-aeefbc call af4249 call aa2580 call ae6f98 call aa37b0 1239 aeefbe-aeefc0 1230->1239 1240 aeefc2 1230->1240 1241 aeefc4-aeefd5 call aef8d3 1239->1241 1240->1241 1244 aeefdb 1241->1244 1245 aeefd7-aeefd9 1241->1245 1246 aeefdd-aeeffc CreateFileW 1244->1246 1245->1246 1247 aeeffe-aef007 GetLastError 1246->1247 1248 aef00c-aef035 call af3210 call aeffac 1246->1248 1249 aef146-aef151 call af41f8 1247->1249 1248->1249 1256 aef03b-aef057 ReadFile 1248->1256 1257 aef05d-aef061 1256->1257 1258 aef135-aef13f 1256->1258 1257->1258 1259 aef067-aef074 call aef27a 1257->1259 1258->1249 1262 aef07f-aef083 1259->1262 1263 aef076-aef07d 1259->1263 1265 aef087-aef094 call aef8d3 1262->1265 1266 aef085 1262->1266 1263->1262 1264 aef0f7-aef0f9 1263->1264 1268 aef0fa-aef100 1264->1268 1274 aef099-aef0ac call aeffac 1265->1274 1275 aef096 1265->1275 1266->1265 1270 aef102-aef108 1268->1270 1271 aef113 1268->1271 1272 aef11d-aef126 call aefcad 1270->1272 1273 aef10a-aef111 1270->1273 1276 aef11a 1271->1276 1272->1249 1281 aef128-aef12e call aef9d0 1272->1281 1273->1276 1274->1249 1282 aef0b2-aef0ce ReadFile 1274->1282 1275->1274 1276->1272 1285 aef133 1281->1285 1282->1249 1284 aef0d0-aef0d4 1282->1284 1284->1249 1286 aef0d6-aef0e7 call aef27a 1284->1286 1285->1249 1289 aef0ee-aef0f5 1286->1289 1290 aef0e9-aef0ec 1286->1290 1289->1268 1290->1268 1290->1289
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEEF43
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AE6F98: __EH_prolog3.LIBCMT ref: 00AE6F9F
                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00AEEFF0
                      • GetLastError.KERNEL32 ref: 00AEEFFE
                      • _memset.LIBCMT ref: 00AEF01A
                        • Part of subcall function 00AEFFAC: SetFilePointer.KERNELBASE(00AB10AE,00000000,?,00000000,00000000,?,?,?,?,00AEF5FF,00000000,?,00000000,00000000), ref: 00AEFFCC
                        • Part of subcall function 00AEFFAC: GetLastError.KERNEL32(?,?,?,?,00AEF5FF,00000000,?,00000000,00000000), ref: 00AEFFD4
                      • ReadFile.KERNELBASE(0000002E,?,0000002E,?,00000000,?,?,00000000,00000000,00000044,00AF03A3,?), ref: 00AEF04C
                        • Part of subcall function 00AEF27A: __EH_prolog3_GS.LIBCMT ref: 00AEF281
                      • ReadFile.KERNEL32(?,?,0000002E,?,00000000,?,?,00000000,00000000,?), ref: 00AEF0C3
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFileLast$H_prolog3_Read$CreateH_prolog3Pointer_memset
                      • String ID:
                      • API String ID: 1186803598-0
                      • Opcode ID: 890e0d0b08d9d420b8948299e16660f66ab0212c06b9cfcd9f6e3217e87f5912
                      • Instruction ID: 30ac776a579943f1329359531708f75858928c6f362d72647caf5345d910d700
                      • Opcode Fuzzy Hash: 890e0d0b08d9d420b8948299e16660f66ab0212c06b9cfcd9f6e3217e87f5912
                      • Instruction Fuzzy Hash: 27617971600288EFDF64DF6ACD85BAE7BB8EF44704F10016AEA01DA2C6EB71D944CB10
                      Function 00AA6780 Relevance: 9.2, APIs: 6, Instructions: 167fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1291 aa6780-aa67e5 call af50c0 1294 aa67ef-aa6828 call aa6a80 1291->1294 1295 aa67e7-aa67ea 1291->1295 1296 aa6993 1294->1296 1300 aa682e-aa6835 1294->1300 1295->1296 1299 aa6995-aa6998 1296->1299 1301 aa699a-aa69a1 1299->1301 1302 aa69a6-aa69cb call af31f3 1299->1302 1303 aa6839-aa6859 CreateFileW 1300->1303 1304 aa6837 1300->1304 1301->1302 1305 aa69a3-aa69a4 CloseHandle 1301->1305 1307 aa685f-aa6861 1303->1307 1308 aa698d GetLastError 1303->1308 1304->1303 1305->1302 1310 aa6865-aa6881 call aefea8 1307->1310 1308->1296 1312 aa6887-aa688c 1310->1312 1313 aa6984-aa6988 call aa8230 1310->1313 1315 aa6892-aa689a 1312->1315 1316 aa6916-aa6931 call aa8230 FlushFileBuffers 1312->1316 1313->1308 1318 aa68a0-aa68c1 call aa6c00 1315->1318 1316->1299 1322 aa697d-aa6982 1318->1322 1323 aa68c7-aa68ca 1318->1323 1326 aa6940-aa6946 1322->1326 1324 aa68cc-aa68cf 1323->1324 1325 aa68d1-aa68fe WriteFile 1323->1325 1324->1325 1324->1326 1327 aa6938-aa693e GetLastError 1325->1327 1328 aa6900-aa6904 1325->1328 1326->1299 1329 aa6948-aa694e 1326->1329 1327->1326 1330 aa6933-aa6936 1328->1330 1331 aa6906-aa690b 1328->1331 1329->1299 1332 aa6950-aa6955 1329->1332 1330->1326 1331->1318 1333 aa690d-aa6910 1331->1333 1334 aa6969-aa697b 1332->1334 1335 aa6957-aa6966 1332->1335 1333->1310 1333->1316 1334->1299 1335->1334
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,000000FF), ref: 00AA684C
                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00AA68F6
                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00AA6923
                      • CloseHandle.KERNELBASE ref: 00AA69A4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$BuffersCloseCreateFlushHandleWrite
                      • String ID:
                      • API String ID: 4137531733-0
                      • Opcode ID: cff95367adc4e01933c13f9d9920db6a2f26046e1cb8b7f92055748399b1c257
                      • Instruction ID: 85b2e759af1a0b9f032c3c2793a70add35d624e25e8d6bb930591c9b93132f72
                      • Opcode Fuzzy Hash: cff95367adc4e01933c13f9d9920db6a2f26046e1cb8b7f92055748399b1c257
                      • Instruction Fuzzy Hash: 2F516C716087009FD720CF28C844B6BB7E8BB86764F180A2DF5A5972E0DB74D908CF92
                      Function 00AA15E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1339 aa15e0-aa160f call aa1410 1341 aa1614-aa1619 1339->1341 1342 aa161b-aa1645 RegQueryValueExW 1341->1342 1343 aa1656 1341->1343 1342->1343 1344 aa1647-aa164b 1342->1344 1345 aa1658-aa165a 1343->1345 1344->1343 1346 aa164d-aa1654 1344->1346 1347 aa165c 1345->1347 1348 aa1663-aa166a 1345->1348 1346->1345 1347->1348
                      APIs
                        • Part of subcall function 00AA1410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                        • Part of subcall function 00AA1410: RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                      • RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,?,?,?), ref: 00AA163D
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AA165D
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Close$HandleModuleQueryValue
                      • String ID: DoVerboseLogging$SOFTWARE\InstallShield\25.0\Professional$`{Al
                      • API String ID: 2971604672-1332538311
                      • Opcode ID: aa985baac801520e6ef457c95d41bc40d5420f41698415319c029debbf1107ca
                      • Instruction ID: 253bb9f690d4ef9ce8c05d3e54a638b5a8d033f08de1a24ac1c376f1cdfef10f
                      • Opcode Fuzzy Hash: aa985baac801520e6ef457c95d41bc40d5420f41698415319c029debbf1107ca
                      • Instruction Fuzzy Hash: B8017875981219BBDB20CB94C845BEFBBBCAB05719F140099EA04B7180D7B15B48DBE5
                      Function 00AEF584 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEF58B
                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000044,00AEF36D,00B3C124,00AF336D,00B3C124,?), ref: 00AEF5D2
                      • GetLastError.KERNEL32 ref: 00AEF5DF
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AEF659
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseCreateErrorFileH_prolog3_HandleLast
                      • String ID:
                      • API String ID: 3060235777-0
                      • Opcode ID: 0263f539d20ec78b32581d3f98b29eb371cb73cd225abbe78e8917bd3fb98e18
                      • Instruction ID: c2befedca9a86e97d35709e38e4b16e3e96178afe4750c935e6a1794e893480a
                      • Opcode Fuzzy Hash: 0263f539d20ec78b32581d3f98b29eb371cb73cd225abbe78e8917bd3fb98e18
                      • Instruction Fuzzy Hash: B131B070A00288AFDF24DFA1C884BAEBBB5EF44314F14442DE801AB2D2DB75DC02DB20
                      Function 00AEFEA8 Relevance: 6.1, APIs: 4, Instructions: 97fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFileLastRead_memset_strlen
                      • String ID:
                      • API String ID: 908522378-0
                      • Opcode ID: dc51e9ac3232b671eb4c03d5ef80933e97f114565302f13875faa1469b653cb8
                      • Instruction ID: 35caaa829e7c50238edc696a6ef1f4fa2618670fd89de2fad460400f4e93f584
                      • Opcode Fuzzy Hash: dc51e9ac3232b671eb4c03d5ef80933e97f114565302f13875faa1469b653cb8
                      • Instruction Fuzzy Hash: 86316B71600249AFDB24DF6AC884EAB7BBAEF89344B148428F805DB251DB31ED10CB60
                      Function 00AADD62 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 273fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AADD6C
                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,00000110,00AAE3EB,?,?,?,?,?,00000028,00AAE312), ref: 00AADDA1
                        • Part of subcall function 00AA69D0: CloseHandle.KERNELBASE(00B6B748,00B6B748,00AAD75B,?,00000000,00000000,?,00AAD851,000000FF,?,00000150,00AB2E4C,00B6B748,00000000,Startup,?), ref: 00AA69E4
                        • Part of subcall function 00AAE2CF: WriteFile.KERNELBASE(?,?,00000000,?,00000000,00000000,?,00AADE05,00000000,?,?,00000000,00000001,0000FEFF,?,00AAD04B), ref: 00AAE2F1
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$CloseCreateH_prolog3_HandleWrite
                      • String ID: ]
                      • API String ID: 1217578190-3462329250
                      • Opcode ID: 09777d2dd80d406da79b275158a9ce78bf11a0b071fb9a187b8da92c213b6c05
                      • Instruction ID: 71405f50e7e5039c50eed01cca66be9d578484d779bf4c8e087baf86d3683cf3
                      • Opcode Fuzzy Hash: 09777d2dd80d406da79b275158a9ce78bf11a0b071fb9a187b8da92c213b6c05
                      • Instruction Fuzzy Hash: 03B17E71C00258EEDB25EBA4CD85BEEBBB8AF56300F144099E145B71D1EB746E85CB60
                      Function 00AAD5AD Relevance: 4.6, APIs: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AAD5B7
                        • Part of subcall function 00AB811E: __EH_prolog3.LIBCMT ref: 00AB8125
                      • _memset.LIBCMT ref: 00AAD5EB
                      • _wcscpy.LIBCMT ref: 00AAD603
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3H_prolog3__memset_wcscpy
                      • String ID:
                      • API String ID: 776734056-0
                      • Opcode ID: 0e1afdff1fd686189921bff27043e5ca8822fc4f03813a57722c7358f963ff78
                      • Instruction ID: 5646998e9a712ff6d1c477e89bccd68f6ae391e6ab8c0d6eb12fce531316a89b
                      • Opcode Fuzzy Hash: 0e1afdff1fd686189921bff27043e5ca8822fc4f03813a57722c7358f963ff78
                      • Instruction Fuzzy Hash: 5B413A7191026C9ADB60EBA4CDC9BDDB7B8AF18310F1002EAE109A7191EB745F85CF90
                      Function 00AA6510 Relevance: 4.6, APIs: 3, Instructions: 73memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00AA6559
                      • _memmove.LIBCMT ref: 00AA6581
                      • SysFreeString.OLEAUT32(00000000), ref: 00AA6591
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$AllocFree_memmove
                      • String ID:
                      • API String ID: 439004091-0
                      • Opcode ID: a3ad93806ac39e27cf43e3c16a3e99fbef905071ddb212d2c3159700acdb0233
                      • Instruction ID: 83b716959ad77aa051e4497bfbc96800afd8099e099025b7bc849d3906c0f9cf
                      • Opcode Fuzzy Hash: a3ad93806ac39e27cf43e3c16a3e99fbef905071ddb212d2c3159700acdb0233
                      • Instruction Fuzzy Hash: 7A21E472E003029B87248F69D4C496AF7F9EF85350724462EE45AC77A4DB71E904CB60
                      Function 00AF4CB1 Relevance: 4.5, APIs: 3, Instructions: 28COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 00AF4CC9
                        • Part of subcall function 00AF6529: __FF_MSGBANNER.LIBCMT ref: 00AF6540
                        • Part of subcall function 00AF6529: __NMSG_WRITE.LIBCMT ref: 00AF6547
                        • Part of subcall function 00AF6529: RtlAllocateHeap.NTDLL(00DB0000,00000000,00000001,00000000,?,00000000,?,00AF780F,00000008,00000008,00000008,?,?,00AFF433,00000018,00B5DA98), ref: 00AF656C
                      • std::exception::exception.LIBCMT ref: 00AF4CE5
                      • __CxxThrowException@8.LIBCMT ref: 00AF4CFA
                        • Part of subcall function 00AF4189: RaiseException.KERNEL32(?,?,00AF2E66,00000000,?,?,?,?,00AF2E66,00000000,00B5D638,?), ref: 00AF41DA
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                      • String ID:
                      • API String ID: 3074076210-0
                      • Opcode ID: d5631b3241d1fed35e2f8d8609185e795020328c0fb98beee060ee593b8573ea
                      • Instruction ID: dbccee32d2e6da8d4c183304e0d54d8d7a66548b1132ae04053efa3795219d60
                      • Opcode Fuzzy Hash: d5631b3241d1fed35e2f8d8609185e795020328c0fb98beee060ee593b8573ea
                      • Instruction Fuzzy Hash: 52E0657550010EAADB10FBD5CE019FF77BCAB04354F10015AF621A1591EB70CA499651
                      Function 00AAD821 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 386COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AAD82B
                        • Part of subcall function 00AAD722: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000000,00000000,?,00AAD851,000000FF,?,00000150,00AB2E4C), ref: 00AAD745
                        • Part of subcall function 00AB8DB6: GetFileSize.KERNEL32(00B6B748,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150,00AB2E4C), ref: 00AB8DCF
                        • Part of subcall function 00AB8DB6: GetProcessHeap.KERNEL32(00000008,00000001,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8DF0
                        • Part of subcall function 00AB8DB6: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8DF7
                        • Part of subcall function 00AB8DB6: ReadFile.KERNEL32(00B6B748,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF), ref: 00AB8E15
                        • Part of subcall function 00AB8DB6: _strlen.LIBCMT ref: 00AB8E24
                        • Part of subcall function 00AB8DB6: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E59
                        • Part of subcall function 00AB8DB6: HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AAD88B,000000FF,?,?,000000FF,?,00000150), ref: 00AB8E60
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Heap$File$Process$AllocCreateFreeH_prolog3_ReadSize_strlen
                      • String ID:
                      • API String ID: 3764712436-410699589
                      • Opcode ID: 723f2982553a80dd6295818e57dc51536227119e6621bf425e4752a617242dbc
                      • Instruction ID: fa654b558151574d28a64039367e9badc2806c9edf6e879608b2826eb7cb3efa
                      • Opcode Fuzzy Hash: 723f2982553a80dd6295818e57dc51536227119e6621bf425e4752a617242dbc
                      • Instruction Fuzzy Hash: A5F16C71D01268DEDB20EFA4CD95BDEBBB8AF16314F5441AAE049B72C1DB701E84CB61
                      Function 00AAD514 Relevance: 3.1, APIs: 2, Instructions: 54fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(00B6B748,?,00000400,?,00000000,00B6B748,00000000), ref: 00AAD548
                      • SetFilePointer.KERNELBASE(00B6B748,00000000,00000000,00000000,00B6B748,00000000), ref: 00AAD595
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$PointerRead
                      • String ID:
                      • API String ID: 3154509469-0
                      • Opcode ID: 73c78ef4fa43a9ab2f9f9d08a1bd64b4ffbf4f7f994d00536fa94573ae05f298
                      • Instruction ID: 0ced1c96afc08e2ec32c7912d411178802786342266c28fbe578e57f52d52666
                      • Opcode Fuzzy Hash: 73c78ef4fa43a9ab2f9f9d08a1bd64b4ffbf4f7f994d00536fa94573ae05f298
                      • Instruction Fuzzy Hash: 910100B4E412296ADB208B359E11BBE77A89F07318F2005A5EB82F74C0CB309E419A58
                      Function 00AB9BF5 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch.LIBCMT ref: 00AB9BFC
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                      • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00AB9C10
                        • Part of subcall function 00AF2E08: std::exception::exception.LIBCMT ref: 00AF2E1E
                        • Part of subcall function 00AF2E08: __CxxThrowException@8.LIBCMT ref: 00AF2E33
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Exception@8H_prolog3_catchInternal_throw_exceptionThrow_mallocstd::exception::exception
                      • String ID:
                      • API String ID: 99106500-0
                      • Opcode ID: 3ab5a04e2cb6ca0429a828c43590b42af6eac169b47d2e05c678227c1e01848c
                      • Instruction ID: 7dc005c10f2940417e7e74e53d4845230998a66404b82b29bdafd233e5cc9db2
                      • Opcode Fuzzy Hash: 3ab5a04e2cb6ca0429a828c43590b42af6eac169b47d2e05c678227c1e01848c
                      • Instruction Fuzzy Hash: 7A015E70C0538ACEDB05DFA982052EEFFF0AF59300F24C0A9D558AB352E6744B44DB95
                      Function 00AEFFAC Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(00AB10AE,00000000,?,00000000,00000000,?,?,?,?,00AEF5FF,00000000,?,00000000,00000000), ref: 00AEFFCC
                      • GetLastError.KERNEL32(?,?,?,?,00AEF5FF,00000000,?,00000000,00000000), ref: 00AEFFD4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: 5c984c092c123eaf144115ed72331fcbd814d40cbc1f1b535367f42f1ab0e55a
                      • Instruction ID: a745feebdd15576b1f4c9bd4832268c75e50b813e6e14196b44d8615302f312f
                      • Opcode Fuzzy Hash: 5c984c092c123eaf144115ed72331fcbd814d40cbc1f1b535367f42f1ab0e55a
                      • Instruction Fuzzy Hash: AAF01CB6A00659BF8B108F69DC44C9F7BB9EB85370B108635FD15D3280DB30ED10DAA0
                      Function 00AF74BE Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___crtCorExitProcess.LIBCMT ref: 00AF74C4
                        • Part of subcall function 00AF748C: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00AF7A77,?,?,00AF74C9,00000008,?,00AF6556,000000FF,0000001E,00000000,?,00000000,?,00AF780F), ref: 00AF749B
                        • Part of subcall function 00AF748C: GetProcAddress.KERNEL32(00AF7A77,CorExitProcess), ref: 00AF74AD
                      • ExitProcess.KERNEL32 ref: 00AF74CD
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                      • String ID:
                      • API String ID: 2427264223-0
                      • Opcode ID: 391cf710afb20029150ef069db8aca5def0605de17381e9b7a3a0b48d4042185
                      • Instruction ID: 1d26c2e12501b08d9f5fcb621430e7948c8c3d503055ebead0f65a64a399ef66
                      • Opcode Fuzzy Hash: 391cf710afb20029150ef069db8aca5def0605de17381e9b7a3a0b48d4042185
                      • Instruction Fuzzy Hash: 16B0923000410CBBCB012F51DC0A85D3F69EB00292B108024F9150A031DFB2A9919A84
                      Function 00AA25E0 Relevance: 2.6, APIs: 2, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                      • SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID:
                      • API String ID: 1452528299-0
                      • Opcode ID: 16bce0ac778f80363a3951f629f8083c79ce51c4cf9b94017db7462a20a081e7
                      • Instruction ID: 3c32499db824020c3b3333490ab3c027b0491d353411a3354c955ec4ec56a56b
                      • Opcode Fuzzy Hash: 16bce0ac778f80363a3951f629f8083c79ce51c4cf9b94017db7462a20a081e7
                      • Instruction Fuzzy Hash: B42154B6A00600EFCB10CF18D894B96BBF4FB49354F1582A9E8099B396DB74ED04CB90
                      Function 00AEF9D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEF9D7
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                        • Part of subcall function 00AEEEE7: __EH_prolog3.LIBCMT ref: 00AEEEEE
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3H_prolog3__malloc
                      • String ID:
                      • API String ID: 243267633-0
                      • Opcode ID: 0add1d22d9e6aef50193a778e8ef945a9d5152167e88803005f673706bc90686
                      • Instruction ID: d136cb75ce3c4cbb7563376bf6f5a553aee4d7437e0646d4420ced13556976bb
                      • Opcode Fuzzy Hash: 0add1d22d9e6aef50193a778e8ef945a9d5152167e88803005f673706bc90686
                      • Instruction Fuzzy Hash: 15219230A00249AEDF15EBB1CA467AEBBF4EF04350F20413DE446A72D2EB74AE04DB10
                      Function 00AACA26 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID:
                      • API String ID: 2427045233-0
                      • Opcode ID: d10672317ce1af929014734c447c37368da01242d14d61001e00bbee9509fc50
                      • Instruction ID: e13d29444e1ceccd6f14e1e6c06e257c500ca02955d6060b3ec0d9645c592a8a
                      • Opcode Fuzzy Hash: d10672317ce1af929014734c447c37368da01242d14d61001e00bbee9509fc50
                      • Instruction Fuzzy Hash: 38118F7190110CABCB04FBE8DA81AEEB7BDAF15310F54416AB112E31D2DF346A05D750
                      Function 00AB0A27 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID:
                      • API String ID: 2427045233-0
                      • Opcode ID: 7f3e5938cb9f0fcec69cc21413c7c7a404a060b0463423d2122da2cd0c852f49
                      • Instruction ID: bb386f9f63ad571b4e84235b1f5492fecbd7d73ed6660a7ebcbdee24b454d23e
                      • Opcode Fuzzy Hash: 7f3e5938cb9f0fcec69cc21413c7c7a404a060b0463423d2122da2cd0c852f49
                      • Instruction Fuzzy Hash: 7211667080028EBEDF21EBA0CD56BEEBBB8BB01304F14405DE101A71D2DBB95A49DB61
                      Function 00AEF8D3 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AEF8DA
                        • Part of subcall function 00AEFCB1: __EH_prolog3.LIBCMT ref: 00AEFCB8
                        • Part of subcall function 00AEFCB1: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000003C,00AEF90D,?,?,00000044,00AF03A3,00000008,00000010,00AEEFCC), ref: 00AEFCE8
                        • Part of subcall function 00AEFCB1: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00AEFD11
                        • Part of subcall function 00AEFCB1: GetSystemInfo.KERNELBASE(000000FF), ref: 00AEFD33
                        • Part of subcall function 00AEFCB1: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?), ref: 00AEFD47
                        • Part of subcall function 00AEFCB1: IsBadReadPtr.KERNEL32(?,000000F8), ref: 00AEFD7B
                        • Part of subcall function 00AEFCB1: UnmapViewOfFile.KERNEL32(00000000), ref: 00AEFD99
                        • Part of subcall function 00AEFCB1: MapViewOfFile.KERNEL32(00000008,00000004,00000000,00000000,?), ref: 00AEFDAB
                        • Part of subcall function 00AEFCB1: IsBadReadPtr.KERNEL32(?,000000F8), ref: 00AEFDD9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$View$CreateH_prolog3Read$InfoMappingSystemUnmap
                      • String ID:
                      • API String ID: 2534712947-0
                      • Opcode ID: f75de3171d58f467fc7cd9092ea2d9f1444853268b9ea6b051a8099d29651596
                      • Instruction ID: cce39b6d6b2bf876109a7741acf0c73708209897166886b02485474c01742494
                      • Opcode Fuzzy Hash: f75de3171d58f467fc7cd9092ea2d9f1444853268b9ea6b051a8099d29651596
                      • Instruction Fuzzy Hash: 2F11F772C0014EEECF01EFE5CA42AEFBBB4AB18300F5445A9A555A7292D7714B05DB91
                      Function 00AAD722 Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000000,00000000,?,00AAD851,000000FF,?,00000150,00AB2E4C), ref: 00AAD745
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 9732179e3ec29827026b84c909c2e568f3920953059ab1e368922b33c9a19d1d
                      • Instruction ID: 38bc1a9f9a5547fcf3f5e9d3158e6f176dbf04344f482a779abe5178a2a3cc53
                      • Opcode Fuzzy Hash: 9732179e3ec29827026b84c909c2e568f3920953059ab1e368922b33c9a19d1d
                      • Instruction Fuzzy Hash: BDF0CD35200210EFCB245F24DC85F9AB7A9AB52724F20052EF6E26B6D1C7B1A881CB60
                      Function 00AAE387 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AAE38E
                        • Part of subcall function 00AB8075: __EH_prolog3.LIBCMT ref: 00AB807C
                        • Part of subcall function 00AAD821: __EH_prolog3_GS.LIBCMT ref: 00AAD82B
                        • Part of subcall function 00AAE112: __EH_prolog3_GS.LIBCMT ref: 00AAE119
                        • Part of subcall function 00AADD62: __EH_prolog3_GS.LIBCMT ref: 00AADD6C
                        • Part of subcall function 00AADD62: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,00000110,00AAE3EB,?,?,?,?,?,00000028,00AAE312), ref: 00AADDA1
                        • Part of subcall function 00AAC842: __EH_prolog3.LIBCMT ref: 00AAC849
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$H_prolog3$CreateFile
                      • String ID:
                      • API String ID: 3060330310-0
                      • Opcode ID: 166f4531cb524e86c376ab10f3d0f635e8bdff44d830c986c03ad1d8077388cb
                      • Instruction ID: 17d9d241470786d1290bfff36cb234683da50603d2d957cd0415d8bdd38ded2d
                      • Opcode Fuzzy Hash: 166f4531cb524e86c376ab10f3d0f635e8bdff44d830c986c03ad1d8077388cb
                      • Instruction Fuzzy Hash: EB01E83592121DABCF04EFA4EA96DEEB774FF19320F504528F41273192DB34AA45CB60
                      Function 00AEF959 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • CompareStringA.KERNELBASE(00000400,00000001,?,00000008,00000008,000000FF,C252E8FF,00000000,00AF03A3,?,00AEF72F,.debug,00AF03A3,?,00AEF929,00AF03A3), ref: 00AEF981
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CompareString
                      • String ID:
                      • API String ID: 1825529933-0
                      • Opcode ID: 4ab58dcf7495a2a16df5728182db7cc54c60ea56199bc931f665462ea91b09f8
                      • Instruction ID: b139e9794e6abb19ff038618afbe24a839b1d5569925c76d14a8d3949be933c4
                      • Opcode Fuzzy Hash: 4ab58dcf7495a2a16df5728182db7cc54c60ea56199bc931f665462ea91b09f8
                      • Instruction Fuzzy Hash: 3FF02B323842117BDB108BA75C80BEAF759EB01771F528231FA6CD64D0D6B1EC8182E0
                      Function 00AAC2E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch.LIBCMT ref: 00AAC2E9
                        • Part of subcall function 00AB9BF5: __EH_prolog3_catch.LIBCMT ref: 00AB9BFC
                        • Part of subcall function 00AB9BF5: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00AB9C10
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_catch$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                      • String ID:
                      • API String ID: 3299765916-0
                      • Opcode ID: 2467e90f6a19e432291ab468b23535142e05973d406830f324ece2bbc84dd40c
                      • Instruction ID: 117aa4ca31fc7a9a3e10c8e60c31888275396c24f579a213abb2392f28b9200c
                      • Opcode Fuzzy Hash: 2467e90f6a19e432291ab468b23535142e05973d406830f324ece2bbc84dd40c
                      • Instruction Fuzzy Hash: CAE09271904349DBDB11EF98C6067ADBEF1AF24721F20424CF1D4672C2C7B50B408795
                      Function 00AAE2CF Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(?,?,00000000,?,00000000,00000000,?,00AADE05,00000000,?,?,00000000,00000001,0000FEFF,?,00AAD04B), ref: 00AAE2F1
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: 7387f8af2691149b664cb0046eb19ccc45b83be86f6dcbf6d6e1b1535dd39ceb
                      • Instruction ID: 8e9ce1594a8ac1dee888b4cb304f0279fadc55b089ec363676ab934d4c7ec075
                      • Opcode Fuzzy Hash: 7387f8af2691149b664cb0046eb19ccc45b83be86f6dcbf6d6e1b1535dd39ceb
                      • Instruction Fuzzy Hash: 82D01732001628BFDF205F45EC09BEA7BADEF06761F104426FD44AB151CBB1AD619AE4
                      Function 00AAC2B4 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AAC2BB
                        • Part of subcall function 00AAC2E2: __EH_prolog3_catch.LIBCMT ref: 00AAC2E9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3H_prolog3_catch
                      • String ID:
                      • API String ID: 1882928916-0
                      • Opcode ID: 92aa44600b451e9366500ae7277c0a6a692451457eb4083ca811868b0509ce07
                      • Instruction ID: a35ac6e1e646d157408ba60f2bb1d63a9bba027012694ea35419016235165e41
                      • Opcode Fuzzy Hash: 92aa44600b451e9366500ae7277c0a6a692451457eb4083ca811868b0509ce07
                      • Instruction Fuzzy Hash: 14D05E759002199BDB10EFD88A029EEBF78AB48720F100256F610A7380C7304B80879D
                      Function 00AA9A00 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 00AA9A0B
                        • Part of subcall function 00AF6529: __FF_MSGBANNER.LIBCMT ref: 00AF6540
                        • Part of subcall function 00AF6529: __NMSG_WRITE.LIBCMT ref: 00AF6547
                        • Part of subcall function 00AF6529: RtlAllocateHeap.NTDLL(00DB0000,00000000,00000001,00000000,?,00000000,?,00AF780F,00000008,00000008,00000008,?,?,00AFF433,00000018,00B5DA98), ref: 00AF656C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AllocateHeap_malloc
                      • String ID:
                      • API String ID: 501242067-0
                      • Opcode ID: 08dbbf07813f6b08d207800e11ab018d6f48db0226f383f7744c686828476756
                      • Instruction ID: c1db553e6b6361d994a44a137443e1dc09415359b284e20352c17f193f72c332
                      • Opcode Fuzzy Hash: 08dbbf07813f6b08d207800e11ab018d6f48db0226f383f7744c686828476756
                      • Instruction Fuzzy Hash: 20B092B290030D678B00EED9AA8286A779CAA64620B084425BA1C8B202E571F6208692
                      Function 00AF776A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • _doexit.LIBCMT ref: 00AF7774
                        • Part of subcall function 00AF763B: __lock.LIBCMT ref: 00AF7649
                        • Part of subcall function 00AF763B: DecodePointer.KERNEL32(00B5D7E8,0000001C,00AF75AE,00000008,00000001,00000000,?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF7688
                        • Part of subcall function 00AF763B: DecodePointer.KERNEL32(?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF7699
                        • Part of subcall function 00AF763B: EncodePointer.KERNEL32(00000000,?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF76B2
                        • Part of subcall function 00AF763B: DecodePointer.KERNEL32(-00000004,?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF76C2
                        • Part of subcall function 00AF763B: EncodePointer.KERNEL32(00000000,?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF76C8
                        • Part of subcall function 00AF763B: DecodePointer.KERNEL32(?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF76DE
                        • Part of subcall function 00AF763B: DecodePointer.KERNEL32(?,00AF74EF,000000FF,?,00AFF38D,00000011,00000000,?,00AF7AE5,0000000D), ref: 00AF76E9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Pointer$Decode$Encode$__lock_doexit
                      • String ID:
                      • API String ID: 2158581194-0
                      • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                      • Instruction ID: 3889cf868e54ab4562851d8e8b329330116ab92f3991b0f40d26b04c4f947c62
                      • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                      • Instruction Fuzzy Hash: 5CB0123158430C33D9502585ED03F593B0C4740B60F100020FB0C1C2E1A993756084C9
                      Function 00AEFF96 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,00AEFA1A,?,00000074,00AEF133,00000000,?,?,?,?,?), ref: 00AEFFA2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 6429dabaeca27191f8aba8053ce5ce0ad1ce09ca329c0e10d7da103253240f04
                      • Instruction ID: 7a9ea598c63fac712644a2e85c4adc4a88b3810b87999afafab938cec48b8c9c
                      • Opcode Fuzzy Hash: 6429dabaeca27191f8aba8053ce5ce0ad1ce09ca329c0e10d7da103253240f04
                      • Instruction Fuzzy Hash: 76B09231284708B7EA201A41EC06F897A19A710F50F604021B704290E0CBE264609598
                      Function 00AA69D0 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(00B6B748,00B6B748,00AAD75B,?,00000000,00000000,?,00AAD851,000000FF,?,00000150,00AB2E4C,00B6B748,00000000,Startup,?), ref: 00AA69E4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 0f12bf98b3e840b53bb705ec2b6a08fb3d3ebac7631124767ab66c8dc0e39d2f
                      • Instruction ID: 1f0675d9b1720aa80da2525e676481b786742b4a294781ccb59ca26162dd2519
                      • Opcode Fuzzy Hash: 0f12bf98b3e840b53bb705ec2b6a08fb3d3ebac7631124767ab66c8dc0e39d2f
                      • Instruction Fuzzy Hash: 45C01230204A118B82389F2CAC40A6633D8AE46330368070DA0F8D32E0CB31CC828A90
                      Function 00AA34D0 Relevance: 1.3, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,00000000,00B0A2D6,?,0000006C,00B0AE91,00B09960,?,?), ref: 00AA34E3
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 6307dc6cbdf461901e166138a2b7742447f72dea5c49425cd762c69cdf0ec674
                      • Instruction ID: 825def8fe620866b73c788872eb8397a22268d78a571ca1ed1b867fab02d96d8
                      • Opcode Fuzzy Hash: 6307dc6cbdf461901e166138a2b7742447f72dea5c49425cd762c69cdf0ec674
                      • Instruction Fuzzy Hash: E6C012322096114BDB78CF28A850BA622D86F49301B24081DA885D3280CB61CD808698
                      Function 00B0ED7E Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,?,00B0ECBB,00000000,00000000), ref: 00B0ED84
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 865c56e34ba29766f2c8b293a8ac56caef780bdad47d3b6325b70f3aa50728be
                      • Instruction ID: f4b97ee13750ac8a6c45e11b163454a6e424ab95a420bb8276371b27e34554a0
                      • Opcode Fuzzy Hash: 865c56e34ba29766f2c8b293a8ac56caef780bdad47d3b6325b70f3aa50728be
                      • Instruction Fuzzy Hash: 87B0123800464CBBCF011F51EC045DC7F2CEA05164B408050FD6C46222CB3295119AD0

                      Non-executed Functions

                      Function 00ACD9F2 Relevance: 76.9, APIs: 10, Strings: 33, Instructions: 1604librarystringloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00ADCDA8: __EH_prolog3_GS.LIBCMT ref: 00ADCDB2
                      • _memset.LIBCMT ref: 00ACDB84
                      • _memset.LIBCMT ref: 00ACDB9F
                      • lstrlenW.KERNEL32(?,-00000004,?,?,?), ref: 00ACDBEE
                      • _memset.LIBCMT ref: 00ACDD24
                      • wsprintfW.USER32 ref: 00ACDD4D
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00AC2F8F: __EH_prolog3_GS.LIBCMT ref: 00AC2F99
                        • Part of subcall function 00B087AC: __EH_prolog3_GS.LIBCMT ref: 00B087B3
                        • Part of subcall function 00AB5E3D: __EH_prolog3_GS.LIBCMT ref: 00AB5E44
                        • Part of subcall function 00ABF954: __EH_prolog3_GS.LIBCMT ref: 00ABF95B
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • LoadLibraryW.KERNEL32(?), ref: 00ACEEC3
                      • GetProcAddress.KERNEL32(00000000,ISExternalUIInstall), ref: 00ACEEE1
                        • Part of subcall function 00ADE762: __EH_prolog3_GS.LIBCMT ref: 00ADE769
                      • GetLastError.KERNEL32 ref: 00ACEFF6
                        • Part of subcall function 00AAF1F4: __wcsnicmp.LIBCMT ref: 00AAF23B
                        • Part of subcall function 00ADC689: __EH_prolog3_GS.LIBCMT ref: 00ADC690
                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00ACF118
                      • ___FUnloadDelayLoadedDLL2@4.DELAYIMP ref: 00ACE941
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AB3F25: __EH_prolog3.LIBCMT ref: 00AB3F2C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$_memset$FreeH_prolog3StringTime$AddressDelayFileL2@4LibraryLoadLoadedProcSystemUnload__wcsnicmplstrlenwsprintf
                      • String ID: /a $ /f$ /i $ /j$ /p $ /x $%s="%s" %s="%s"$($/passive$/qb$/qn$/quiet$/t $Attempted unloaded of msi.dll: %d$Disabling WOW64 file system redirection to prevent issues with 64-bit MSI packages (costing error 2324)$Failed to get UI DLL from setup.exe for billboard support. This installation will run without billboards.$Failed to load UI DLL, last error %x, install will run without billboards$Failed to locate ISSetup.dll (%s)$First time install uses billboard support$ISExternalUI.dll$ISExternalUIInstall$ISSCRIPTCMDLINE$ISSCRIPTCMDLINE="$Loading ISExternalUI.dll from '%s'$MsiAction::InstallMsi - calling Reboot$ProductCode$SETUPEXEDIR$SETUPEXENAME$Startup$TRANSFORMS=$\$msi.dll$msiaction.cpp
                      • API String ID: 3834841087-3648684969
                      • Opcode ID: 80e87dbb5d94ddecddb5f5d391b46d6725b5e859b7d3c792908a697838cbf1e1
                      • Instruction ID: 01f8dff42ad188da522eb4c81bdaf391c60320c31db73dc626d19441a5f7494a
                      • Opcode Fuzzy Hash: 80e87dbb5d94ddecddb5f5d391b46d6725b5e859b7d3c792908a697838cbf1e1
                      • Instruction Fuzzy Hash: 56E2D030C05258EEDB25EB64CE59BEEB7B8AF15340F1441E9E04AA31C2EB745F88DB51
                      Function 00ABCDD3 Relevance: 51.8, APIs: 15, Strings: 14, Instructions: 1036synchronizationwindowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABCDDD
                      • GetDlgItem.USER32(00000000,0000040B), ref: 00ABCE10
                      • _memset.LIBCMT ref: 00ABD022
                      • ShellExecuteExW.SHELL32(?), ref: 00ABD0A3
                      • WaitForInputIdle.USER32(?,00002710), ref: 00ABD0B8
                      • ShowWindow.USER32(00000000,00000000), ref: 00ABD0CA
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ABD0D8
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00ABD0EB
                      • CloseHandle.KERNEL32(?), ref: 00ABD0F7
                        • Part of subcall function 00AC76A3: __EH_prolog3_GS.LIBCMT ref: 00AC76AA
                      • GetDlgItem.USER32(00000000), ref: 00ABD49A
                      • GetDlgItem.USER32(000003EB,00000000), ref: 00ABD4B1
                      • GetDlgItem.USER32(00000000), ref: 00ABD4CC
                        • Part of subcall function 00AE71C1: __EH_prolog3_GS.LIBCMT ref: 00AE71C8
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ABDFBF: __EH_prolog3_GS.LIBCMT ref: 00ABDFC9
                        • Part of subcall function 00ABDFBF: GetCommandLineW.KERNEL32 ref: 00ABE146
                      • SendMessageW.USER32(00000000,00000111,00000006,00000000), ref: 00ABD957
                        • Part of subcall function 00ABDEC5: __EH_prolog3_GS.LIBCMT ref: 00ABDECF
                        • Part of subcall function 00ABDEC5: IsWindow.USER32(?), ref: 00ABDEEB
                        • Part of subcall function 00ABDEC5: SendMessageW.USER32(?,00001074,?,?), ref: 00ABDF98
                        • Part of subcall function 00ABDEC5: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00ABDFA3
                        • Part of subcall function 00AB675F: __EH_prolog3_GS.LIBCMT ref: 00AB6769
                        • Part of subcall function 00ABB44F: __EH_prolog3_GS.LIBCMT ref: 00ABB456
                        • Part of subcall function 00ABB44F: SendMessageW.USER32(00000000,00000111,00000000,00000000), ref: 00ABB496
                        • Part of subcall function 00ABB44F: SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00ABB4A0
                        • Part of subcall function 00ABB44F: SendMessageW.USER32(00000000,0000000C,00000000,-00000004), ref: 00ABB4C4
                        • Part of subcall function 00ABB44F: SendMessageW.USER32(00000000,00000111,00000001,00000000), ref: 00ABB4DC
                      • GetDlgItem.USER32(0000012D), ref: 00ABCE23
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AB0A27: __EH_prolog3_GS.LIBCMT ref: 00AB0A2E
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000400,000000FF), ref: 00ABCE82
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$MessageSend$Item$ErrorLast$FreeStringWaitWindow$CloseCodeCommandExecuteExitFileHandleIdleInputLineModuleNameObjectProcessShellShowSingle_memset
                      • String ID: /debuglog"$ /runprerequisites"$&$..\..\..\Shared\Setup\IsPreReqDlg.cpp$ISPREREQDIR$MSI or .NET rebooting before prerequsite$Prerequisites need elevation; launching elevated with arguments: %s$SETUPEXEDIR$SETUPEXENAME$The prerequisite appears to have failed...$[ISPREREQDIR]$[SETUPEXEDIR]$[SETUPEXENAME]$runas
                      • API String ID: 1325908419-2299799362
                      • Opcode ID: bc9882259cc690b75d31bdd1f80fd7ba9b84764ce974c2ae7b0c01db3f48382d
                      • Instruction ID: 47c5c8ba015eb885a971194e3999713b95be621abe87d574ae081562a1cc7e29
                      • Opcode Fuzzy Hash: bc9882259cc690b75d31bdd1f80fd7ba9b84764ce974c2ae7b0c01db3f48382d
                      • Instruction Fuzzy Hash: 87A29C71901259EEDB20EB64CD45BEDBBB8AF11304F1480D9E149A7192EB74AF88CF91
                      Function 00AD168D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD1697
                      • _memset.LIBCMT ref: 00AD16B7
                      • GetTempPathW.KERNEL32(00000400,?), ref: 00AD16CB
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • FindFirstFileW.KERNEL32(?,?), ref: 00AD1753
                      • CompareFileTime.KERNEL32(?,?), ref: 00AD177D
                      • DeleteFileW.KERNEL32(?,?,?,00000001,?,?,00000001), ref: 00AD17FF
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00AD181C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFileLast$FindFreeString$CompareDeleteFirstH_prolog3_NextPathTempTime_memset
                      • String ID: *.mst
                      • API String ID: 2018102183-516677590
                      • Opcode ID: 5ec44b13b04be3a395f1629e3e6a4ffbe8ed2dd87c70ba151eb6124f74956b1c
                      • Instruction ID: a049a90b04ebc3e8ac65031f8c2971d934e3c97228b40d26672664faadab2698
                      • Opcode Fuzzy Hash: 5ec44b13b04be3a395f1629e3e6a4ffbe8ed2dd87c70ba151eb6124f74956b1c
                      • Instruction Fuzzy Hash: FE412B7190011AEADB20EBA4CD55BEEB7B8BF15300F1081E6E159A7091EF745F89CF91
                      Function 00B0A45C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50shutdownCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,NoSuppressRebootKey,?,00000001), ref: 00B0A475
                      • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,?,?,?,?,?,?,?,NoSuppressRebootKey,?,00000001), ref: 00B0A482
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00B0A499
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00B0A4C4
                      • ExitWindowsEx.USER32(00000002,0000FFFF), ref: 00B0A4D2
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
                      • String ID: SeShutdownPrivilege
                      • API String ID: 1314775590-3733053543
                      • Opcode ID: 051bb8205f24c0bbf21f776198318b9e0f13efc440f00270556e01fd66ce5db8
                      • Instruction ID: edc76358a4c815bf87cc25ae2e50cd71b24d7815542cdaefd5e8d4177b89ba92
                      • Opcode Fuzzy Hash: 051bb8205f24c0bbf21f776198318b9e0f13efc440f00270556e01fd66ce5db8
                      • Instruction Fuzzy Hash: A7015B71901619ABDF20DFB5DD0AAEFBBB8FF09300F100418E505E3280DB749605CBA1
                      Function 00ABEC18 Relevance: 4.6, APIs: 3, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00ABEC4C
                      • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 00ABEC67
                      • IsValidLocale.KERNEL32(?,00000001), ref: 00ABEC95
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoLocale$CharsetTranslateValid
                      • String ID:
                      • API String ID: 1865635962-0
                      • Opcode ID: 523be57a6ce449442a930a1d2700e77082f698d38af2570405cd6058dd59caa5
                      • Instruction ID: 5c1453212eee4b5505ee8294f073cb65d907cc713266ec09d583c2b534ad150a
                      • Opcode Fuzzy Hash: 523be57a6ce449442a930a1d2700e77082f698d38af2570405cd6058dd59caa5
                      • Instruction Fuzzy Hash: 27116134A00108AEDB24EF64DD45AFEBBFCAF19700B504419FA41DB191EB71D941C7A8
                      Function 00AF1438 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00AF146A
                      • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 00AF1485
                      • IsValidLocale.KERNEL32(?,00000001), ref: 00AF149D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoLocale$CharsetTranslateValid
                      • String ID:
                      • API String ID: 1865635962-0
                      • Opcode ID: d4bc529849791ef7dd088048b0e162ab9ee95b0212eb8a330e6c82bd5f566f48
                      • Instruction ID: 42d7cecb9c5c2c6b76dcdf36f0337d1741df85bd26f8a3e3344978614e9262f5
                      • Opcode Fuzzy Hash: d4bc529849791ef7dd088048b0e162ab9ee95b0212eb8a330e6c82bd5f566f48
                      • Instruction Fuzzy Hash: 97019E70A00A08EBDB10DFB4DC46ABE77B8EB48756B504515FB01EB1D0DBB8E94187A4
                      Function 00AD8BBA Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(00B3E7C8,00000000,00000001,00B452F0,?), ref: 00AD8BE5
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CreateInstance
                      • String ID:
                      • API String ID: 542301482-0
                      • Opcode ID: 1d42010f7d0640778369b843f080d684b157b8599580fb4cf2a9236890846f0a
                      • Instruction ID: 9f0b236da8cfa8e24caaa6c2544af5f1805ec98ee59bc6e9cc2fdcf5168d360f
                      • Opcode Fuzzy Hash: 1d42010f7d0640778369b843f080d684b157b8599580fb4cf2a9236890846f0a
                      • Instruction Fuzzy Hash: 55F0A7B2341622A7C7214B49DCC4D5BFBE9EF99BA0711016BFA0A9B350CB71AC40C7E4
                      Function 00AF14BD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00AF14DF
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 035e29d153539bb2c8b24e109e9020db237bf9dbd83a0257305be58fdbef5cf0
                      • Instruction ID: e300f62708c639ba95b90ff25ed80d81152b19c0d3ae5bda0ae7151d3e9ea512
                      • Opcode Fuzzy Hash: 035e29d153539bb2c8b24e109e9020db237bf9dbd83a0257305be58fdbef5cf0
                      • Instruction Fuzzy Hash: 27F01C71A1020CABDB10EFB89D469EEB7E8EB48715B504465FB42EB190DA70EA058B94
                      Function 00AA1C20 Relevance: 84.4, APIs: 44, Strings: 4, Instructions: 404timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA1C7F
                      • SetLastError.KERNEL32(00B36418), ref: 00AA1CC2
                        • Part of subcall function 00AA3730: SysStringLen.OLEAUT32(?), ref: 00AA373E
                        • Part of subcall function 00AA3730: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AA3758
                      • GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080), ref: 00AA1D0A
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0), ref: 00AA352F
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00AA35C9
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35E3
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35F0
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,SOFTWARE\InstallShield\25.0\Professional), ref: 00AA3614
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0), ref: 00AA361A
                      • GetLastError.KERNEL32 ref: 00AA1D31
                      • SetLastError.KERNEL32(00B36418), ref: 00AA1D65
                        • Part of subcall function 00AA3730: _wmemcpy_s.LIBCMT ref: 00AA3785
                      • GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 00AA1DAA
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA2970: GetLastError.KERNEL32 ref: 00AA29D5
                        • Part of subcall function 00AA2970: SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2A3E
                        • Part of subcall function 00AA2970: GetLastError.KERNEL32(?), ref: 00AA2A94
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2AAE
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2ABB
                        • Part of subcall function 00AA2970: SetLastError.KERNEL32(?), ref: 00AA2ADF
                        • Part of subcall function 00AA2DD0: GetLastError.KERNEL32 ref: 00AA2E3B
                        • Part of subcall function 00AA2DD0: SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2EA4
                        • Part of subcall function 00AA2DD0: SysFreeString.OLEAUT32(?), ref: 00AA2F96
                        • Part of subcall function 00AA2970: GetLastError.KERNEL32(00000000,?,00000000,?), ref: 00AA2B80
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2B98
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2BA5
                        • Part of subcall function 00AA2970: SetLastError.KERNEL32(?), ref: 00AA2BC9
                        • Part of subcall function 00AA2970: GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 00AA2C24
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2C3C
                        • Part of subcall function 00AA2970: SysFreeString.OLEAUT32(?), ref: 00AA2C49
                        • Part of subcall function 00AA26D0: GetLastError.KERNEL32 ref: 00AA2735
                        • Part of subcall function 00AA26D0: SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2795
                        • Part of subcall function 00AA26D0: GetLastError.KERNEL32 ref: 00AA27BE
                        • Part of subcall function 00AA26D0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00AA281E
                        • Part of subcall function 00AA26D0: GetLastError.KERNEL32 ref: 00AA283E
                      • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000001,?,?,?,00000001), ref: 00AA1E67
                      • SysFreeString.OLEAUT32(?), ref: 00AA1E8B
                      • SysFreeString.OLEAUT32(?), ref: 00AA1E9E
                      • SetLastError.KERNEL32(?), ref: 00AA1ED1
                      • GetLastError.KERNEL32 ref: 00AA1EE6
                      • SysFreeString.OLEAUT32(?), ref: 00AA1F04
                      • SysFreeString.OLEAUT32(?), ref: 00AA1F17
                      • SetLastError.KERNEL32(?), ref: 00AA1F4A
                      • GetLastError.KERNEL32 ref: 00AA1F5F
                      • SysFreeString.OLEAUT32(?), ref: 00AA1F7D
                      • SysFreeString.OLEAUT32(?), ref: 00AA1F90
                      • SetLastError.KERNEL32(?), ref: 00AA1FC3
                      • GetLastError.KERNEL32 ref: 00AA1FD8
                      • SysFreeString.OLEAUT32(?), ref: 00AA1FF6
                      • SysFreeString.OLEAUT32(?), ref: 00AA2009
                      • SetLastError.KERNEL32(?), ref: 00AA203C
                      • GetLastError.KERNEL32 ref: 00AA2051
                      • SysFreeString.OLEAUT32(?), ref: 00AA206F
                      • SysFreeString.OLEAUT32(?), ref: 00AA2082
                      • SetLastError.KERNEL32(?), ref: 00AA20B5
                      • GetLastError.KERNEL32 ref: 00AA20CD
                      • SetLastError.KERNEL32(00B36418), ref: 00AA2120
                      • GetLastError.KERNEL32 ref: 00AA21E5
                      • SysFreeString.OLEAUT32(?), ref: 00AA2203
                      • SysFreeString.OLEAUT32(?), ref: 00AA2216
                      • SetLastError.KERNEL32(?), ref: 00AA2249
                      • GetLastError.KERNEL32 ref: 00AA225E
                      • SysFreeString.OLEAUT32(?), ref: 00AA227C
                      • SysFreeString.OLEAUT32(?), ref: 00AA228F
                      • SetLastError.KERNEL32(?), ref: 00AA22C2
                      • GetLastError.KERNEL32 ref: 00AA22D1
                      • SysFreeString.OLEAUT32(?), ref: 00AA22E9
                      • SysFreeString.OLEAUT32(?), ref: 00AA22F6
                      • SetLastError.KERNEL32(?), ref: 00AA231A
                      • GetLastError.KERNEL32 ref: 00AA232F
                      • SysFreeString.OLEAUT32(?), ref: 00AA2347
                      • SysFreeString.OLEAUT32(?), ref: 00AA2354
                        • Part of subcall function 00AA3440: __vwprintf_p.LIBCMT ref: 00AA346F
                        • Part of subcall function 00AA3440: vswprintf.LIBCMT ref: 00AA34A1
                      • SetLastError.KERNEL32(?), ref: 00AA2378
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$String$Free$Format$AllocDateTime__vwprintf_p_wmemcpy_svswprintf
                      • String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$hh':'mm':'ss tt
                      • API String ID: 1002200784-1641453432
                      • Opcode ID: cec89d0da4b763ec11bfe32b5eedfd019c379876a2e178801d4254ed61ad199e
                      • Instruction ID: 6af729be229555d5a88723bf70163eff585e879f6455479a4f01ee7f34d02bd6
                      • Opcode Fuzzy Hash: cec89d0da4b763ec11bfe32b5eedfd019c379876a2e178801d4254ed61ad199e
                      • Instruction Fuzzy Hash: 8412DD715083809FD731DF68C849B9EBBE5BF99308F10892CE58C972A1EB71A854CF56
                      Function 00B14790 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 476stringwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00B13620: GetLastError.KERNEL32(6D9FB08F), ref: 00B13674
                        • Part of subcall function 00B13620: SetLastError.KERNEL32(?), ref: 00B136AD
                      • wsprintfA.USER32 ref: 00B1481A
                        • Part of subcall function 00AA6350: _memmove.LIBCMT ref: 00AA6405
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • GetLastError.KERNEL32 ref: 00B14872
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00B148C0
                      • lstrcpyA.KERNEL32(000000D0,?), ref: 00B14909
                      • lstrcpyA.KERNEL32(00000004,?), ref: 00B14910
                      • lstrcpyA.KERNEL32(00000068,?), ref: 00B14920
                      • MapDialogRect.USER32(?,?), ref: 00B1495E
                      • MulDiv.KERNEL32(?,000186A0,00000006), ref: 00B14989
                      • MulDiv.KERNEL32(?,000186A0,0000000D), ref: 00B1499E
                      • MulDiv.KERNEL32(?,?,00000004), ref: 00B14A06
                      • MulDiv.KERNEL32(?,?,00000008), ref: 00B14A32
                      • GetClientRect.USER32(?,?), ref: 00B14AC5
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B14AD6
                      • CreateCompatibleDC.GDI32(00000000), ref: 00B14AE2
                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B14AFB
                      • SelectObject.GDI32(?,00000000), ref: 00B14B0E
                      • MulDiv.KERNEL32(?,?,00000004), ref: 00B14B3E
                      • MulDiv.KERNEL32(?,?,00000008), ref: 00B14B51
                      • MulDiv.KERNEL32(?,?,00000004), ref: 00B14B64
                      • MulDiv.KERNEL32(?,?,00000008), ref: 00B14B77
                      • FillRect.USER32(?,?,?), ref: 00B14B8C
                      • GetDlgItem.USER32(?,?), ref: 00B14CAF
                      • DrawIcon.USER32(?,?,?,00000000), ref: 00B14CC6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$CreateRectlstrcpy$CompatibleFreeString$BitmapClientDialogDrawFillIconItemObjectSelect_memmovewsprintf
                      • String ID: -%04x$DISPLAY$PROP_PSKIN
                      • API String ID: 4259255117-337460466
                      • Opcode ID: c368970dc53bf3b12ca823efd76bbee75875171d22e6ef824c4783ee333503f8
                      • Instruction ID: 8f6a510b3b6960ca6c4726da7acd9c4caa6b55a1268d07fa0bb96b07ad9dc452
                      • Opcode Fuzzy Hash: c368970dc53bf3b12ca823efd76bbee75875171d22e6ef824c4783ee333503f8
                      • Instruction Fuzzy Hash: 5C227B71A00614EFDB21DF68C884BD9BBF1FF09304F5981D9E549AB2A1DB31AC84CB90
                      Function 00B14270 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 395stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00B1429F
                      • GetClassNameW.USER32(?,?,00000032), ref: 00B142AE
                      • lstrcmpiW.KERNEL32(Button,?), ref: 00B142C3
                      • GetWindowLongW.USER32(?,000000F0), ref: 00B142D0
                      • SetWindowLongW.USER32(?,000000F0,?), ref: 00B14366
                      • GetWindowLongW.USER32(?,000000F4), ref: 00B1436F
                      • GetWindowRect.USER32(?,?), ref: 00B1449B
                      • MulDiv.KERNEL32(?,000186A0,000186A0), ref: 00B144E2
                      • MulDiv.KERNEL32(?,?,000186A0), ref: 00B144FF
                      • MulDiv.KERNEL32(?,000186A0,?), ref: 00B14529
                      • MulDiv.KERNEL32(?,000186A0,?), ref: 00B14568
                      • ScreenToClient.USER32(?,?), ref: 00B14594
                      • MulDiv.KERNEL32(?,?,00000004), ref: 00B145B6
                      • MulDiv.KERNEL32(?,?,00000008), ref: 00B145D0
                      • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00B145EF
                      • lstrcmpiW.KERNEL32(Static,?), ref: 00B14603
                      • GetWindowLongW.USER32(?,000000F0), ref: 00B14616
                      • GetWindowLongW.USER32(?,000000F0), ref: 00B14627
                      • GetWindowRect.USER32(?,?), ref: 00B14639
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00B1464A
                      • SendMessageW.USER32(?,00000171,00000000,00000000), ref: 00B14666
                      • GetWindowLongW.USER32(?,000000F4), ref: 00B14689
                      • ShowWindow.USER32(?,00000000), ref: 00B146BE
                      • GetWindowTextW.USER32(?,?,0000000A), ref: 00B14701
                      • SetWindowLongW.USER32(?,000000FC,00B15160), ref: 00B14716
                      • SetPropW.USER32(?,PROP_STAT_PSKIN,?), ref: 00B14733
                      • SetPropW.USER32(?,PROP_STAT_OLDPROC,00000000), ref: 00B1473C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Window$Long$PropRectlstrcmpi$ClassClientMessageMoveNamePointsScreenSendShowText_memset
                      • String ID: @$Button$PROP_STAT_OLDPROC$PROP_STAT_PSKIN$Static$msctls_progress32
                      • API String ID: 2481118448-847272177
                      • Opcode ID: 09a6cdc1b47469b9ba15b12dd9a3aa03ee347c8cde8b56e047609a3a3ec11804
                      • Instruction ID: efef18d0c7a8e1a156c02d02328d5f56ae2e6019265fc588d3fcea76aeec9227
                      • Opcode Fuzzy Hash: 09a6cdc1b47469b9ba15b12dd9a3aa03ee347c8cde8b56e047609a3a3ec11804
                      • Instruction Fuzzy Hash: B0F10874A00605AFC724DF64C984FAABBF5FB08304F548599E95ADB3A1DB31ED81CB50
                      Function 00B14DF0 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 270COMMON
                      Download Yara Rule
                      APIs
                      • GetPropW.USER32(?,PROP_PSKIN), ref: 00B14E1B
                      • DefWindowProcW.USER32(?,?,?,?), ref: 00B14E33
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ProcPropWindow
                      • String ID: Button$PROP_PSKIN$Static
                      • API String ID: 8399546-3691526359
                      • Opcode ID: 5630fe545e5ce40d5e3cdaec117e0ed700bf0828d299141628e2de0759ddae9a
                      • Instruction ID: a3f05921441c244556326cee6bffa32315c94e7760db9ef6639c9579929ca87d
                      • Opcode Fuzzy Hash: 5630fe545e5ce40d5e3cdaec117e0ed700bf0828d299141628e2de0759ddae9a
                      • Instruction Fuzzy Hash: C3915072600608AFDB24DFA4EC85FEE77B9FB48701F500596F60AD7161DB31AA90DB60
                      Function 00ABC4A2 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 302windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABC4AC
                      • EndDialog.USER32(?), ref: 00ABC51C
                      • GetDlgItem.USER32(?,00000001), ref: 00ABC534
                      • EnableWindow.USER32(00000000), ref: 00ABC537
                      • GetDlgItem.USER32(?,0000012D), ref: 00ABC545
                      • ShowWindow.USER32(00000000), ref: 00ABC548
                      • GetDlgItem.USER32(?,000003EB), ref: 00ABC5C6
                      • GetDlgItem.USER32(?,000003E9), ref: 00ABC5CF
                      • SetWindowTextW.USER32(?,-00000004), ref: 00ABC67D
                      • SendDlgItemMessageW.USER32(?,00000009,00000030,00000000,00000000), ref: 00ABC6B9
                      • SendDlgItemMessageW.USER32(?,00000001,00000030,00000000,00000000), ref: 00ABC6E5
                      • SendDlgItemMessageW.USER32(?,000003EB,00000030,00000000), ref: 00ABC6F7
                      • SendDlgItemMessageW.USER32(?,000003E9,00000030,00000000), ref: 00ABC709
                      • SendDlgItemMessageW.USER32(?,000003ED,00000030,00000000), ref: 00ABC71B
                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000), ref: 00ABC72D
                      • SendDlgItemMessageW.USER32(?,0000040A,00000030,00000000), ref: 00ABC73F
                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,00000000), ref: 00ABC751
                      • SendDlgItemMessageW.USER32(?,0000040B,00000030,00000000), ref: 00ABC763
                      • GetDlgItem.USER32(?,0000012D), ref: 00ABC773
                      • ShowWindow.USER32(00000000), ref: 00ABC776
                      • GetDlgItem.USER32(?,000003EE), ref: 00ABC829
                      • SetWindowTextW.USER32(00000000), ref: 00ABC82C
                      • DeleteObject.GDI32(000000D4), ref: 00ABC8B6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Item$MessageSend$Window$ShowText$DeleteDialogEnableH_prolog3_Object
                      • String ID: PrereqDialog
                      • API String ID: 128106140-694180481
                      • Opcode ID: 630c2a0b7b38c8b3838ab448295961394daee4288400309a104e74f61e6af929
                      • Instruction ID: fe4d83291f4964fd570413d127350e0e5c838865b951645eef6301cf61bf8c82
                      • Opcode Fuzzy Hash: 630c2a0b7b38c8b3838ab448295961394daee4288400309a104e74f61e6af929
                      • Instruction Fuzzy Hash: B0B1B171901258AFEB25DBA0CD4AFEE77B8EB05710F104099F6056B1E2CBB46A45CB64
                      Function 00AA2DD0 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 356COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA2E3B
                      • SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2EA4
                      • SysFreeString.OLEAUT32(?), ref: 00AA2F96
                      • SysFreeString.OLEAUT32(?), ref: 00AA2FA9
                      • SetLastError.KERNEL32(?), ref: 00AA2FDC
                        • Part of subcall function 00AA40E0: GetLastError.KERNEL32 ref: 00AA413F
                        • Part of subcall function 00AA40E0: SetLastError.KERNEL32(00B36418), ref: 00AA4177
                        • Part of subcall function 00AA40E0: GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,00000000,?,00000002,00000001), ref: 00AA4250
                      • GetLastError.KERNEL32(?,00000000,000000FF,-00000004,?,00000001,?,00000000,?,000000FF,00000001), ref: 00AA30B0
                      • SetLastError.KERNEL32(00B36418,00B45168,00000000), ref: 00AA3110
                      • SysFreeString.OLEAUT32(?), ref: 00AA31A7
                      • SysFreeString.OLEAUT32(?), ref: 00AA31BA
                      • SetLastError.KERNEL32(?), ref: 00AA31ED
                      • GetLastError.KERNEL32 ref: 00AA3202
                      • SysFreeString.OLEAUT32(?), ref: 00AA321A
                      • SysFreeString.OLEAUT32(?), ref: 00AA3227
                      • SetLastError.KERNEL32(?), ref: 00AA324B
                      • GetLastError.KERNEL32(?,00000000,000000FF,-00000004,?,00000001,?,00000000,?,000000FF,00000001), ref: 00AA325E
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA32B1
                      • GetLastError.KERNEL32 ref: 00AA32C6
                      • SysFreeString.OLEAUT32(?), ref: 00AA32E4
                      • SysFreeString.OLEAUT32(?), ref: 00AA32F7
                      • SetLastError.KERNEL32(?), ref: 00AA332A
                      • GetLastError.KERNEL32 ref: 00AA3339
                      • SysFreeString.OLEAUT32(?), ref: 00AA3351
                      • SysFreeString.OLEAUT32(?), ref: 00AA335E
                      • SetLastError.KERNEL32(?), ref: 00AA3382
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID: \
                      • API String ID: 2425351278-2967466578
                      • Opcode ID: 74dc363a8433256448cc497f62a7aafaedf7ff8b47f89c8ff6af07b1a22523fc
                      • Instruction ID: 8542bda22e9fec065f77649fb0e70d6e30886ebabd40026d95c246181125d093
                      • Opcode Fuzzy Hash: 74dc363a8433256448cc497f62a7aafaedf7ff8b47f89c8ff6af07b1a22523fc
                      • Instruction Fuzzy Hash: 88F10771508380DFDB20DF68C844B9BBBE4BF89314F104A2CF599972A1EB75A958CF52
                      Function 00AA49C0 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 250COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA4A2B
                      • SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA4A94
                      • GetLastError.KERNEL32 ref: 00AA4AB4
                      • SetLastError.KERNEL32(00B36418), ref: 00AA4AF1
                      • GetLastError.KERNEL32(?,000000FF,00000001), ref: 00AA4B6C
                      • SysFreeString.OLEAUT32(?), ref: 00AA4B86
                      • SysFreeString.OLEAUT32(?), ref: 00AA4B99
                      • SetLastError.KERNEL32(?), ref: 00AA4BD2
                      • GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,000000FF,?,000000FF,00000001), ref: 00AA4C32
                      • SysFreeString.OLEAUT32(?), ref: 00AA4C4C
                      • SysFreeString.OLEAUT32(?), ref: 00AA4C5F
                      • SetLastError.KERNEL32(?), ref: 00AA4C98
                      • GetLastError.KERNEL32(?,000000FF,00000001), ref: 00AA4CAB
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA4D02
                      • GetLastError.KERNEL32 ref: 00AA4D17
                      • SysFreeString.OLEAUT32(?), ref: 00AA4D2B
                      • SysFreeString.OLEAUT32(?), ref: 00AA4D38
                      • SetLastError.KERNEL32(?), ref: 00AA4D5C
                      • GetLastError.KERNEL32 ref: 00AA4D6F
                      • SysFreeString.OLEAUT32(?), ref: 00AA4D83
                      • SysFreeString.OLEAUT32(?), ref: 00AA4D90
                      • SetLastError.KERNEL32(?), ref: 00AA4DB4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID: .
                      • API String ID: 2425351278-248832578
                      • Opcode ID: d0229f3371d5eb3881353d7c193b58489511ab4619995340afc2eefbb6cf3b53
                      • Instruction ID: 508c3914a951190bc0b8cd5fe2c8433efca9c69bcf2f621d1fa914c66a338d76
                      • Opcode Fuzzy Hash: d0229f3371d5eb3881353d7c193b58489511ab4619995340afc2eefbb6cf3b53
                      • Instruction Fuzzy Hash: C1B1F5715083809FD720DF68C844B5BFBE0BF89318F104A2DE598972A1DBB5E849CF96
                      Function 00AE89E9 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 343windowsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch_GS.LIBCMT ref: 00AE89F3
                      • _memset.LIBCMT ref: 00AE8AD7
                        • Part of subcall function 00AB0A27: __EH_prolog3_GS.LIBCMT ref: 00AB0A2E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • ShellExecuteExW.SHELL32(?), ref: 00AE8D4A
                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 00AE8DD4
                      • PeekMessageW.USER32(?,00000000,00000113,00000113,00000001), ref: 00AE8DF1
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,04270001), ref: 00AE8E03
                      • TranslateMessage.USER32(?), ref: 00AE8E0D
                      • DispatchMessageW.USER32(?), ref: 00AE8E17
                      • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00AE8E24
                      • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00AE8E3D
                      • CloseHandle.KERNEL32(00000000), ref: 00AE8E49
                        • Part of subcall function 00AE7538: __EH_prolog3.LIBCMT ref: 00AE753F
                        • Part of subcall function 00AE7538: SetCurrentDirectoryW.KERNEL32(00000000,00000004,00AE8EEB,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00AE755F
                      • GetLastError.KERNEL32(?), ref: 00AE8E91
                      Strings
                      • Creating new process for prerequisite, launching command line %s [%s] %s, xrefs: 00AE8D1F
                      • No process created by successful prerequisite launch, xrefs: 00AE8D71
                      • Could not launch prerequisite, last error: %d, ShellExecute: %d, xrefs: 00AE8E98
                      • Launching: , xrefs: 00AE8BCE
                      • Prerequisite process exited with return code %d, xrefs: 00AE8E65
                      • open, xrefs: 00AE8B73
                      • CSetupPreRequisite::ExecuteGenericPrerequisite, xrefs: 00AE8A43
                      • <, xrefs: 00AE8ADF
                      • ..\..\..\Shared\Setup\SetupPreRequisite.cpp, xrefs: 00AE8A15, 00AE8A27, 00AE8A2C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Message$ErrorLast$FreePeekStringWait$CloseCodeCurrentDirectoryDispatchExecuteExitH_prolog3H_prolog3_H_prolog3_catch_HandleMultipleObjectObjectsProcessShellSingleTranslate_memset
                      • String ID: ..\..\..\Shared\Setup\SetupPreRequisite.cpp$<$CSetupPreRequisite::ExecuteGenericPrerequisite$Could not launch prerequisite, last error: %d, ShellExecute: %d$Creating new process for prerequisite, launching command line %s [%s] %s$Launching: $No process created by successful prerequisite launch$Prerequisite process exited with return code %d$open
                      • API String ID: 1872484157-621072123
                      • Opcode ID: 32dd6652f15a91c6a0b265747f9b6db8cc338ae3a591856b819f0d005bea1132
                      • Instruction ID: 10879850022e4eaf8dab784cbe5be28c575f870180784b6eb4b8ba293690b169
                      • Opcode Fuzzy Hash: 32dd6652f15a91c6a0b265747f9b6db8cc338ae3a591856b819f0d005bea1132
                      • Instruction Fuzzy Hash: 18E15B7090029CEEEF21DBA5CE45BEDB7B8AB15300F1041E9E149A7191EBB46F49CF61
                      Function 00AA2970 Relevance: 36.3, APIs: 24, Instructions: 292COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA29D5
                      • SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2A3E
                      • GetLastError.KERNEL32(?), ref: 00AA2A94
                      • SysFreeString.OLEAUT32(?), ref: 00AA2AAE
                      • SysFreeString.OLEAUT32(?), ref: 00AA2ABB
                      • SetLastError.KERNEL32(?), ref: 00AA2ADF
                      • GetLastError.KERNEL32(00000000,?,00000000,?), ref: 00AA2B80
                      • SysFreeString.OLEAUT32(?), ref: 00AA2B98
                      • SysFreeString.OLEAUT32(?), ref: 00AA2BA5
                      • SetLastError.KERNEL32(?), ref: 00AA2BC9
                      • GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 00AA2C24
                      • SysFreeString.OLEAUT32(?), ref: 00AA2C3C
                      • SysFreeString.OLEAUT32(?), ref: 00AA2C49
                      • SetLastError.KERNEL32(?), ref: 00AA2C6D
                      • GetLastError.KERNEL32(?), ref: 00AA2C91
                      • SysFreeString.OLEAUT32(?), ref: 00AA2CA9
                      • SysFreeString.OLEAUT32(?), ref: 00AA2CB6
                      • SetLastError.KERNEL32(?), ref: 00AA2CDA
                      • GetLastError.KERNEL32 ref: 00AA2CED
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA2D40
                      • GetLastError.KERNEL32 ref: 00AA2D4F
                      • SysFreeString.OLEAUT32(?), ref: 00AA2D67
                      • SysFreeString.OLEAUT32(?), ref: 00AA2D74
                      • SetLastError.KERNEL32(?), ref: 00AA2D98
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID:
                      • API String ID: 2425351278-0
                      • Opcode ID: 4b69fa1ce8ea952d1763627fe32a083d196230035ac94d2c09f1baa25d439651
                      • Instruction ID: 507ae8eaff7b7140e6cc399255b7bd1818035c853b9dcb63995a3819815ce79c
                      • Opcode Fuzzy Hash: 4b69fa1ce8ea952d1763627fe32a083d196230035ac94d2c09f1baa25d439651
                      • Instruction Fuzzy Hash: 28D112715083409FD720DF68C984B5BFBE0BF89718F104A2CF589972A1EB75E958CB92
                      Function 00AA1670 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 217COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA1737
                      • SetLastError.KERNEL32(00B36418), ref: 00AA1775
                      • GetLastError.KERNEL32(?,00000104), ref: 00AA17F5
                      • SetLastError.KERNEL32(00B36418), ref: 00AA1842
                      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00AA187B
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FileModuleName
                      • String ID: InstallShield.log$SOFTWARE\InstallShield\25.0\Professional$VerboseLogPath$`{Al
                      • API String ID: 1026760046-1954735378
                      • Opcode ID: 3d2d0f9e4aa502d818fc446b023eb7bf4164f0aa6b87c6db7a71d33fbd2702f5
                      • Instruction ID: 66dc839ed0d6958c3688f50aadd36504673654b5644c9fbb6354f1d380f26cbf
                      • Opcode Fuzzy Hash: 3d2d0f9e4aa502d818fc446b023eb7bf4164f0aa6b87c6db7a71d33fbd2702f5
                      • Instruction Fuzzy Hash: 4DA14A711083809FD720DF68C885B9BBBE4BF89308F10491DF599972A1DBB5A948CF52
                      Function 00AA40E0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 246COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA413F
                      • SetLastError.KERNEL32(00B36418), ref: 00AA4177
                      • GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,00000000,?,00000002,00000001), ref: 00AA4250
                      • SysFreeString.OLEAUT32(?), ref: 00AA4268
                      • SysFreeString.OLEAUT32(?), ref: 00AA4275
                      • SetLastError.KERNEL32(?), ref: 00AA429F
                      • GetLastError.KERNEL32(?), ref: 00AA4334
                      • SysFreeString.OLEAUT32(?), ref: 00AA434C
                      • SysFreeString.OLEAUT32(?), ref: 00AA4359
                      • SetLastError.KERNEL32(?), ref: 00AA437D
                      • GetLastError.KERNEL32 ref: 00AA4390
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA43E3
                      • GetLastError.KERNEL32 ref: 00AA43F2
                      • SysFreeString.OLEAUT32(?), ref: 00AA440A
                      • SysFreeString.OLEAUT32(?), ref: 00AA4417
                      • SetLastError.KERNEL32(?), ref: 00AA443B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID: \
                      • API String ID: 2425351278-2967466578
                      • Opcode ID: b76c8e0a52c6fbc668351ffd97c811347e3238e223e947bc440b8e1a3f344240
                      • Instruction ID: 531293a8a0337511226b9f74334b5c73c8500b502a9cd91618ef41f78dec4d34
                      • Opcode Fuzzy Hash: b76c8e0a52c6fbc668351ffd97c811347e3238e223e947bc440b8e1a3f344240
                      • Instruction Fuzzy Hash: 22A13A71508740DFDB20DF64C985B5BBBE4BF89308F104A2CF5999B2A1DBB1E948CB52
                      Function 00AC407F Relevance: 28.7, APIs: 19, Instructions: 194windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC4089
                      • GetWindowLongW.USER32(?,000000EB), ref: 00AC40B1
                      • GetDlgItem.USER32(?,00000132), ref: 00AC40CC
                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00AC40E4
                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00AC40EF
                      • EndDialog.USER32(?,00000001), ref: 00AC40FE
                      • EndDialog.USER32(?,00000002), ref: 00AC4113
                      • GetDlgItem.USER32(?,00000132), ref: 00AC4124
                      • SetWindowLongW.USER32(?,000000EB,?), ref: 00AC4134
                      • SendMessageW.USER32(?,00000143,00000000,?), ref: 00AC4183
                      • SendMessageW.USER32(?,00000151,00000000,?), ref: 00AC419B
                      • SendMessageW.USER32(?,0000014E), ref: 00AC41C0
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC420B
                      • SetDlgItemTextW.USER32(?,00000001,-00000004), ref: 00AC4239
                      • SetDlgItemTextW.USER32(?,00000002,-00000004), ref: 00AC427C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Item$DialogLongTextWindow$H_prolog3_
                      • String ID:
                      • API String ID: 3382325393-0
                      • Opcode ID: 0e5a08c5677abeaa9880cee1cf728cf7dce96a1b9101d09c742a2858160114a8
                      • Instruction ID: 569b630b4e580366a200074b10aca4de34d8c3a8585b65b8b224cfd571c26193
                      • Opcode Fuzzy Hash: 0e5a08c5677abeaa9880cee1cf728cf7dce96a1b9101d09c742a2858160114a8
                      • Instruction Fuzzy Hash: E0718071940218ABDB24DF64CC86FED7778FB18311F104199F696A72E1DBB4AA80CF64
                      Function 00ABE85C Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 200windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABE866
                      • GetVersionExW.KERNEL32 ref: 00ABE894
                      • SendMessageW.USER32(00000000,00000111,-00000003,00000000), ref: 00ABE9FB
                        • Part of subcall function 00ABCBB8: __EH_prolog3_GS.LIBCMT ref: 00ABCBBF
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$MessageSendVersion
                      • String ID: ..\..\..\Shared\Setup\IsPreReqDlg.cpp$StartStopProgress - Embedded$StartStopProgress - Embedded Looping$StartStopProgress - Fallback - %d of %d
                      • API String ID: 59336037-1791802421
                      • Opcode ID: 5d508c93226cb5284a8782e119c426ef1737f42ff1c4fbf61885b48ede7c9b48
                      • Instruction ID: cc760d00f1e9acf9122643586381c331cf17de75e960ec809a709b12cc4150c1
                      • Opcode Fuzzy Hash: 5d508c93226cb5284a8782e119c426ef1737f42ff1c4fbf61885b48ede7c9b48
                      • Instruction Fuzzy Hash: 9E719070950254BEEB25DB60CC46FEE7BBDEB01310F24819AF246A71E2DBB45E45CB20
                      Function 00AF18D5 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 151stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyW.KERNEL32(000003FE,00B45168,?), ref: 00AF1913
                      • lstrcpyW.KERNEL32(00000000,00B45168), ref: 00AF191B
                      • _malloc.LIBCMT ref: 00AF1935
                        • Part of subcall function 00AF6529: __FF_MSGBANNER.LIBCMT ref: 00AF6540
                        • Part of subcall function 00AF6529: __NMSG_WRITE.LIBCMT ref: 00AF6547
                        • Part of subcall function 00AF6529: RtlAllocateHeap.NTDLL(00DB0000,00000000,00000001,00000000,?,00000000,?,00AF780F,00000008,00000008,00000008,?,?,00AFF433,00000018,00B5DA98), ref: 00AF656C
                      • _memset.LIBCMT ref: 00AF1946
                      • _memset.LIBCMT ref: 00AF1971
                      • wsprintfW.USER32 ref: 00AF19C3
                      • _memset.LIBCMT ref: 00AF19DB
                      • _memset.LIBCMT ref: 00AF1A23
                      • _memmove.LIBCMT ref: 00AF1A4F
                      • wsprintfW.USER32 ref: 00AF1A6F
                      • wsprintfW.USER32 ref: 00AF1A86
                      • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00B37904,?,?,00000000), ref: 00AF1A9C
                      • _free.LIBCMT ref: 00AF1AAE
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memset$lstrcpywsprintf$AllocateHeap_free_malloc_memmove
                      • String ID: %s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
                      • API String ID: 3387234471-1385173819
                      • Opcode ID: 3dcf7c03320546970de7b6936f2de013c9eb111e1a945c58ac52851f50213694
                      • Instruction ID: e7a912e045aa3633f8202aead6f42082824a3548aa120098c6ea485c7b0d8eaa
                      • Opcode Fuzzy Hash: 3dcf7c03320546970de7b6936f2de013c9eb111e1a945c58ac52851f50213694
                      • Instruction Fuzzy Hash: 1E517F71941228ABCB21AB958D89FBE77BCEF44344F1440D5FA0CA3192DB349B90CFA1
                      Function 00B19086 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 134filewindowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateRectRgn.GDI32(?,?,?,?), ref: 00B19101
                      • SelectClipRgn.GDI32(?,00000000), ref: 00B1910F
                      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00B19138
                      • PlayMetaFile.GDI32(?,?), ref: 00B19144
                      • SelectObject.GDI32(?,?), ref: 00B19151
                      • DeleteObject.GDI32(?), ref: 00B1915F
                      • GetTickCount.KERNEL32 ref: 00B19168
                      • SelectClipRgn.GDI32(?,00000000), ref: 00B1918B
                      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00B191AE
                      • PlayMetaFile.GDI32(?,?), ref: 00B191C0
                      • PlayMetaFile.GDI32(00B13CDE,00000000), ref: 00B19798
                      • DeleteDC.GDI32(?), ref: 00B197A1
                      • RestoreDC.GDI32(00B13CDE,?), ref: 00B197AB
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FileMetaPlaySelect$ClipDeleteObject$CountCreateRectRestoreTick
                      • String ID: gfff$gfff
                      • API String ID: 2043526094-3084402119
                      • Opcode ID: 2cf4cced1de34b1226285905a3fb96b6bad178f319e75db269eed068743a5b73
                      • Instruction ID: 27dac96ac43f66e94dedda162fd05a84b24bf353fb4b57d2a84af52d895e4ac4
                      • Opcode Fuzzy Hash: 2cf4cced1de34b1226285905a3fb96b6bad178f319e75db269eed068743a5b73
                      • Instruction Fuzzy Hash: 23415A31900609EFCB19CFA9DD88BEEBBB5FF49700F644159E506B7260CB35A851DB60
                      Function 00AD0531 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 118COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3__memset_wcscpy
                      • String ID: %s%sReason: %s$>>> Fatal %sReason: %s$function failed.$handle in invalid state.$more buffer space required to hold data.$no more items.$passed a bad SQL syntax.$passed an invalid handle.$passed an invalid parameter.$unknown error.
                      • API String ID: 2196721711-2340172371
                      • Opcode ID: ae77b66c43fdbccc7a791d7e88e810e2092c8baa93cd48282bbd38b83a9067d6
                      • Instruction ID: 0835c0f8bc30fcfc6d3e0a2830f5fb732df506a7bbac586311cfc25479808b9e
                      • Opcode Fuzzy Hash: ae77b66c43fdbccc7a791d7e88e810e2092c8baa93cd48282bbd38b83a9067d6
                      • Instruction Fuzzy Hash: CD31BC71584208EAD7309FB4DE46FEE3AA8AB00700F348157B94AA7295DFB5DF418B91
                      Function 00ADAEB4 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 370COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00ADAF12
                      • _memset.LIBCMT ref: 00ADAF2D
                      • _wcschr.LIBCMT ref: 00ADAFC1
                      • _wcschr.LIBCMT ref: 00ADAFD1
                      • wsprintfW.USER32 ref: 00ADAFFF
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString_memset_wcschr$wsprintf
                      • String ID: %s$ %s"%s"$ %s%s$ScriptDriven$Startup$auto$no_engine
                      • API String ID: 1401725781-630800314
                      • Opcode ID: 48fe82e1b08f014d96c23a96e0b78564fb8dda740a7b446375b1ba67afadb6ae
                      • Instruction ID: b80b0d4c0d2ce7553873e4851c1ec21a40788abc262c7dca9882709c46ca3195
                      • Opcode Fuzzy Hash: 48fe82e1b08f014d96c23a96e0b78564fb8dda740a7b446375b1ba67afadb6ae
                      • Instruction Fuzzy Hash: 12E1BFB1904218EADB24DB64DC56BEEB7B8AF65300F5041DAE30AB71C1EB705F84CB65
                      Function 00AEC30C Relevance: 25.9, APIs: 17, Instructions: 404windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEC316
                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00AEC3B5
                      • SendMessageW.USER32(?,00000111,00000011,00000000), ref: 00AEC4D7
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$H_prolog3_
                      • String ID:
                      • API String ID: 3491702567-0
                      • Opcode ID: e6960a556d7902c2ed33ddea520276780b80452e0be5a7086d165fa24b1201aa
                      • Instruction ID: d4e1d16df3f936e647a33aa635455ec8d0f512ef6d00af000d567ca8bf8465d0
                      • Opcode Fuzzy Hash: e6960a556d7902c2ed33ddea520276780b80452e0be5a7086d165fa24b1201aa
                      • Instruction Fuzzy Hash: F6E1E171940659AFEB349B66CD99FAABBB5FF04320F20419AF50A971D0D730AD82CF50
                      Function 00ABE67B Relevance: 25.7, APIs: 17, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000000), ref: 00ABE6A9
                      • GetDlgItem.USER32(000003EC,?), ref: 00ABE6D5
                      • GetWindowRect.USER32(00000000), ref: 00ABE6DE
                      • GetDlgItem.USER32(0000012D), ref: 00ABE6EB
                      • GetWindowRect.USER32(00000000,?), ref: 00ABE6F7
                      • ScreenToClient.USER32(?,?), ref: 00ABE736
                      • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00ABE749
                      • GetDlgItem.USER32(000003EB), ref: 00ABE75A
                      • GetWindowRect.USER32(00000000,?), ref: 00ABE767
                      • GetWindowRect.USER32(?,?), ref: 00ABE780
                      • ScreenToClient.USER32(?,?), ref: 00ABE7B7
                      • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00ABE7CA
                      • GetDlgItem.USER32(0000040B), ref: 00ABE7DB
                      • GetWindowRect.USER32(00000000,?), ref: 00ABE7EF
                      • GetWindowRect.USER32(00000000,?), ref: 00ABE7F6
                      • ScreenToClient.USER32(?,?), ref: 00ABE832
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00ABE847
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Window$Rect$Item$ClientScreen
                      • String ID:
                      • API String ID: 1521148189-0
                      • Opcode ID: f5ead4b72d30a8415196cbc5d41aec685f776c98a93db8e7fea387cd06f914eb
                      • Instruction ID: 07da51c1bd0d09d2b9c5011b35d2e6494d9e446562d4987252397785b609aadc
                      • Opcode Fuzzy Hash: f5ead4b72d30a8415196cbc5d41aec685f776c98a93db8e7fea387cd06f914eb
                      • Instruction Fuzzy Hash: 6D51C772A00258AFCF11DFF4DD49AAEBBB9FF48705F14401AEA01B7291CB75A905CB60
                      Function 00AEEA39 Relevance: 25.6, APIs: 17, Instructions: 113windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetObjectW.GDI32(00000018,?), ref: 00AEEA6B
                      • GetDesktopWindow.USER32 ref: 00AEEA75
                      • GetClientRect.USER32(00000000), ref: 00AEEA7C
                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00AEEAA3
                      • GetDC.USER32(?), ref: 00AEEAC6
                      • GetObjectW.GDI32(00000018,?), ref: 00AEEADD
                      • CreateCompatibleDC.GDI32(00000000), ref: 00AEEAE4
                      • UnrealizeObject.GDI32(00000000), ref: 00AEEB01
                      • SelectPalette.GDI32(00000000,00000000), ref: 00AEEB11
                      • RealizePalette.GDI32(00000000), ref: 00AEEB1A
                      • UnrealizeObject.GDI32 ref: 00AEEB22
                      • SelectPalette.GDI32(?,00000000), ref: 00AEEB30
                      • RealizePalette.GDI32(?), ref: 00AEEB33
                      • SelectObject.GDI32(00000000), ref: 00AEEB41
                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00AEEB58
                      • ReleaseDC.USER32(?,00000000), ref: 00AEEB62
                      • DeleteDC.GDI32(00000000), ref: 00AEEB69
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Object$Palette$Select$RealizeUnrealizeWindow$ClientCompatibleCreateDeleteDesktopMoveRectRelease
                      • String ID:
                      • API String ID: 366568439-0
                      • Opcode ID: 0a17a0834fd87d66704eb33460bfef9e50b149482a4c920830fe1a48e8a0d6e5
                      • Instruction ID: 89ddadf84ca681e93c6af8bfc3fc7427ce1c2fd0bfba20b19436d55ba1b6c9ef
                      • Opcode Fuzzy Hash: 0a17a0834fd87d66704eb33460bfef9e50b149482a4c920830fe1a48e8a0d6e5
                      • Instruction Fuzzy Hash: 58411A72900648AFCB21EFE5ED48EAE7FB9FB4C311B504415F541A71A0CB759940CFA0
                      Function 00AC8248 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 367registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC8252
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00ADE5F1: _memset.LIBCMT ref: 00ADE61D
                        • Part of subcall function 00AC8829: __EH_prolog3_catch_GS.LIBCMT ref: 00AC8833
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD595: __EH_prolog3_GS.LIBCMT ref: 00ADD59C
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • _memset.LIBCMT ref: 00AC835D
                      • _memset.LIBCMT ref: 00AC8378
                        • Part of subcall function 00AF18D5: lstrcpyW.KERNEL32(000003FE,00B45168,?), ref: 00AF1913
                        • Part of subcall function 00AF18D5: lstrcpyW.KERNEL32(00000000,00B45168), ref: 00AF191B
                        • Part of subcall function 00AF18D5: _malloc.LIBCMT ref: 00AF1935
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF1946
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF1971
                        • Part of subcall function 00AF18D5: wsprintfW.USER32 ref: 00AF19C3
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF19DB
                        • Part of subcall function 00AF263A: lstrcpyW.KERNEL32(?,?,00000000), ref: 00AF2673
                        • Part of subcall function 00AF263A: lstrcpyW.KERNEL32(?,00AB1124), ref: 00AF267D
                        • Part of subcall function 00AF263A: _swscanf.LIBCMT ref: 00AF26F2
                        • Part of subcall function 00AF263A: _swscanf.LIBCMT ref: 00AF271B
                        • Part of subcall function 00AF13A2: __EH_prolog3_GS.LIBCMT ref: 00AF13AC
                        • Part of subcall function 00AF13A2: wsprintfW.USER32 ref: 00AF13EE
                        • Part of subcall function 00AF13A2: wvsprintfW.USER32(?,?,?), ref: 00AF1409
                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00AC87D7
                      Strings
                      • Startup, xrefs: 00AC82F8
                      • 4.05.0.0, xrefs: 00AC8396
                      • ScriptDriven, xrefs: 00AC82DB
                      • Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit., xrefs: 00AC83F8
                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 00AC8673
                      • msiaction.cpp, xrefs: 00AC83DB, 00AC85B2
                      • %%IS_PREREQCMD%%-%s, xrefs: 00AC8513
                      • Installing silent prerequisites for features: %s, xrefs: 00AC85AC
                      • Msi.DLL, xrefs: 00AC8388
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast_memset$lstrcpy$H_prolog3_$FreeString_swscanfwsprintf$DeleteH_prolog3_catch_Value_mallocwvsprintf
                      • String ID: %%IS_PREREQCMD%%-%s$4.05.0.0$Installing silent prerequisites for features: %s$Msi.DLL$ScriptDriven$Software\Microsoft\Windows\CurrentVersion$Startup$Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.$msiaction.cpp
                      • API String ID: 4162135644-146730128
                      • Opcode ID: fdf0d4d721fab724a6ee9c92e94f6496ecb8da1d431a4cf42e711391f051da45
                      • Instruction ID: ac1971981ad5318107533dd99323731701870b9a1af2174f4ad93186429589f4
                      • Opcode Fuzzy Hash: fdf0d4d721fab724a6ee9c92e94f6496ecb8da1d431a4cf42e711391f051da45
                      • Instruction Fuzzy Hash: 16F16B71900659EEDF20DB64CE95BEEBBB8AF05305F1040D9E209A7182EB749F88DF51
                      Function 00ACA6FE Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 350COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACA708
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AAF37B: __EH_prolog3.LIBCMT ref: 00AAF382
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                      • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00ACA7B3
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                      • CoCreateGuid.OLE32(?), ref: 00ACA7CF
                        • Part of subcall function 00AC5256: __EH_prolog3.LIBCMT ref: 00AC525D
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000), ref: 00ACA83B
                        • Part of subcall function 00AC5363: __EH_prolog3.LIBCMT ref: 00AC536A
                      • GetPrivateProfileStringW.KERNEL32(?,-00000004,00B45168,?,00000104,?), ref: 00ACA9E4
                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 00ACAAD5
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$String$CreateH_prolog3H_prolog3_$DirectoryFree$AllocGuidPathPrivateProfileTemp
                      • String ID: !$Could not extract isconfig.ini from current issetup.dll$Extracting resources for '%s' to '%s'$ISConfig.ini for current issetup.dll does not contain TempPathGuid.$IsConfig.ini$SetupDefaults$TempPathGuid$msiaction.cpp
                      • API String ID: 475049944-1813314304
                      • Opcode ID: 41b997c31f4816f0c203b23d84ccfeeaaf7804e9df6498973aefc232ea845ac1
                      • Instruction ID: 38aef31ac8bb9f34baf04f5cd893931894a8453f2aec83d90de4597da081eeef
                      • Opcode Fuzzy Hash: 41b997c31f4816f0c203b23d84ccfeeaaf7804e9df6498973aefc232ea845ac1
                      • Instruction Fuzzy Hash: 67F15C30C0125CEEDB21DBA4CD55BEDBBB8AF15304F5440D9E049A7192EB745F88DB62
                      Function 00AE9671 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 239windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE967B
                      • SendMessageW.USER32(?,0000000C,00000000,ISPREREQDIR), ref: 00AE9722
                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00AE9743
                      • SendMessageW.USER32(?,00000111,00000008,00000000), ref: 00AE9754
                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00AE9772
                      • SendMessageW.USER32(?,00000111,00000007,00000000), ref: 00AE9783
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AE9791
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AE97BF
                        • Part of subcall function 00AA3860: GetLastError.KERNEL32(6D9FB08F,?,?,?,?,00B308D8,000000FF), ref: 00AA38A2
                        • Part of subcall function 00AA3860: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,00B308D8,000000FF), ref: 00AA38FE
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$ErrorLast$H_prolog3_
                      • String ID: ISPREREQDIR$[ISPREREQDIR]$[ProductLanguage]$[SETUPEXEDIR]$[SETUPEXENAME]
                      • API String ID: 860943175-441624375
                      • Opcode ID: 7ad4a15f7ed8b29f1d4bda234504bd31d768db3716fd08941baf67928098b05d
                      • Instruction ID: eb98a752ab302aa1a2bb7cc571bb181054ea3625bb0eaa1d3009c8f3a42dae18
                      • Opcode Fuzzy Hash: 7ad4a15f7ed8b29f1d4bda234504bd31d768db3716fd08941baf67928098b05d
                      • Instruction Fuzzy Hash: 85A14B71901258EEDB15EBA4CD91BEEBBB8BF15300F1040D9F146A7192DBB06F48DBA1
                      Function 00AD8E9E Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD8EA5
                      • _wcsstr.LIBCMT ref: 00AD8F34
                      • CharNextW.USER32(?,?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD8F45
                      • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD8F4A
                      • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD8F4F
                      • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD8F54
                      • CharNextW.USER32(00000000,}},?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD8FFC
                      • CharNextW.USER32(?,00000000,?), ref: 00AD9081
                      • CharNextW.USER32(?,00000000,00000001,0000005C,00AD925B,?,00000000), ref: 00AD9095
                      • CoTaskMemFree.OLE32(?,0000005C,00AD925B,?,00000000), ref: 00AD90DD
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext$FreeH_prolog3_Task_wcsstr
                      • String ID: }}$HKCR$HKCU{Software{Classes
                      • API String ID: 2086807494-1142484189
                      • Opcode ID: 6b92481723224956633e82311b741abdba3897896c30787a3a483fc058a53895
                      • Instruction ID: a0fd2f58c1da091ff74cd008f8a7c8b2ebde1c0934cbe4e3b73025e2851c78c9
                      • Opcode Fuzzy Hash: 6b92481723224956633e82311b741abdba3897896c30787a3a483fc058a53895
                      • Instruction Fuzzy Hash: 407181709043469BDF15DBF8D991AAEBBB5AF28300F24402AE806EB395EF75DD44CB50
                      Function 00AC0611 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 143registrystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AA1410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                        • Part of subcall function 00AA1410: RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                      • _memset.LIBCMT ref: 00AC0750
                        • Part of subcall function 00AA1500: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00AA1528
                      • RegDeleteValueW.ADVAPI32(?,00000000), ref: 00AC0783
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • RegDeleteValueW.ADVAPI32(?,ISSetup), ref: 00AC0650
                        • Part of subcall function 00AA13E0: RegCloseKey.ADVAPI32(00000000,00000000,00AF0B69,000001F0,?,00000000,0000000A,?,?,00000001,ServicePack,?,00000001,?,000001F0,00000000), ref: 00AA13EA
                        • Part of subcall function 00AA1410: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00AA144B
                      • __wcsnicmp.LIBCMT ref: 00AC0669
                      • CharNextW.USER32 ref: 00AC067A
                      • lstrcmpW.KERNEL32(00000000,%IS_V%), ref: 00AC0688
                      • lstrcpyW.KERNEL32(00B669A8,?,/verbose,?,00000001), ref: 00AC0821
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Value$CloseDeleteErrorFreeLastString$AddressCharH_prolog3HandleModuleNextProcQuery__wcsnicmp_memsetlstrcmplstrcpy
                      • String ID: %IS_V%$/$/verbose$ISSetup$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Run$verbose
                      • API String ID: 2817573039-1979139162
                      • Opcode ID: 1d5ae8fa7c47f4b8ffe520e88770fe3ea469c2840763d53e1316a8368c7819a8
                      • Instruction ID: 4027a43675c4517c1342bd4ef08d4c08a84473ab58851cc141741589952f1a0d
                      • Opcode Fuzzy Hash: 1d5ae8fa7c47f4b8ffe520e88770fe3ea469c2840763d53e1316a8368c7819a8
                      • Instruction Fuzzy Hash: 2B51AA7098122CAECB20EB60CD85FEEB779AF51340F1401E8A509A71D2EF715B95CBA5
                      Function 00ACD215 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 332COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACD21F
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AC6E9F: __EH_prolog3_GS.LIBCMT ref: 00AC6EA9
                        • Part of subcall function 00AC6E9F: _memset.LIBCMT ref: 00AC6EC0
                        • Part of subcall function 00AC6E9F: _memset.LIBCMT ref: 00AC6EDB
                        • Part of subcall function 00ADE3F8: __EH_prolog3_GS.LIBCMT ref: 00ADE3FF
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString_memset$H_prolog3
                      • String ID: 1.0$1.1$2.0$2.0.0.0$3.0$3.0.0.0$DotNetLangPacks$DotNetOptional$DotNetOptionalInstallIfSilent$J#InstallOptionIfSilent$J#Optional$Startup
                      • API String ID: 3564044602-1844836242
                      • Opcode ID: 82c341bb81f7032e1653c0787dc45f94aa785130826b262a2c35de196c3a54ee
                      • Instruction ID: 71db36578a7d2c03551a53a07bfaa4f75fa2ce85512cb9ea623527774687f56f
                      • Opcode Fuzzy Hash: 82c341bb81f7032e1653c0787dc45f94aa785130826b262a2c35de196c3a54ee
                      • Instruction Fuzzy Hash: 41D1CF70A00218AFDF29DB68CD56BEDBBB4AF55304F1040EDE549A7281DBB49E84CF91
                      Function 00AE90F4 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 298COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE90FE
                        • Part of subcall function 00AE89E9: __EH_prolog3_catch_GS.LIBCMT ref: 00AE89F3
                        • Part of subcall function 00AE89E9: _memset.LIBCMT ref: 00AE8AD7
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AE7AF4: __EH_prolog3_GS.LIBCMT ref: 00AE7AFB
                        • Part of subcall function 00AE7AF4: SetWindowTextW.USER32(00000000,?), ref: 00AE7BC4
                      Strings
                      • Exit Code Match -- Reboot Ignored, xrefs: 00AE9382
                      • MSI Returned ERROR_INSTALL_USEREXIT, xrefs: 00AE9490
                      • Return Code from EXE: %d, xrefs: 00AE92F1
                      • Data File Location: , xrefs: 00AE919F
                      • Exit Code Match -- Exiting Now, xrefs: 00AE93AB
                      • CSetupPrerequisite::ExecutePrerequisite, xrefs: 00AE9154
                      • Reboot Required, xrefs: 00AE9331
                      • MSI Returned ERROR_SUCCESS_REBOOT_INITIATED, xrefs: 00AE944F
                      • Exit Code Match -- Rebooting Later, xrefs: 00AE93D5
                      • Attempting to execute prerequisite: %s, xrefs: 00AE9228
                      • ..\..\..\Shared\Setup\SetupPreRequisite.cpp, xrefs: 00AE913B, 00AE922E
                      • Exit Code Match -- Rebooting Now, xrefs: 00AE93F3
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$H_prolog3_catch_TextWindow_memset
                      • String ID: ..\..\..\Shared\Setup\SetupPreRequisite.cpp$Attempting to execute prerequisite: %s$CSetupPrerequisite::ExecutePrerequisite$Data File Location: $Exit Code Match -- Exiting Now$Exit Code Match -- Reboot Ignored$Exit Code Match -- Rebooting Later$Exit Code Match -- Rebooting Now$MSI Returned ERROR_INSTALL_USEREXIT$MSI Returned ERROR_SUCCESS_REBOOT_INITIATED$Reboot Required$Return Code from EXE: %d
                      • API String ID: 1162875945-874582098
                      • Opcode ID: 7bb7b6747a751521018202f149b459eca5f9326ffc4be718c5c7a1c11dbdbe3d
                      • Instruction ID: 0437b9c62632202d2b6bb644181f812812c790520469c4a7ee55e656a16edf1c
                      • Opcode Fuzzy Hash: 7bb7b6747a751521018202f149b459eca5f9326ffc4be718c5c7a1c11dbdbe3d
                      • Instruction Fuzzy Hash: CBB18371A00258EEDF25EBA4CD92FEEB7BCAB55300F100199F146A71C2EB745B46CB61
                      Function 00AC6E9F Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 232COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC6EA9
                      • _memset.LIBCMT ref: 00AC6EC0
                      • _memset.LIBCMT ref: 00AC6EDB
                        • Part of subcall function 00AF18D5: lstrcpyW.KERNEL32(000003FE,00B45168,?), ref: 00AF1913
                        • Part of subcall function 00AF18D5: lstrcpyW.KERNEL32(00000000,00B45168), ref: 00AF191B
                        • Part of subcall function 00AF18D5: _malloc.LIBCMT ref: 00AF1935
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF1946
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF1971
                        • Part of subcall function 00AF18D5: wsprintfW.USER32 ref: 00AF19C3
                        • Part of subcall function 00AF18D5: _memset.LIBCMT ref: 00AF19DB
                        • Part of subcall function 00AF263A: lstrcpyW.KERNEL32(?,?,00000000), ref: 00AF2673
                        • Part of subcall function 00AF263A: lstrcpyW.KERNEL32(?,00AB1124), ref: 00AF267D
                        • Part of subcall function 00AF263A: _swscanf.LIBCMT ref: 00AF26F2
                        • Part of subcall function 00AF263A: _swscanf.LIBCMT ref: 00AF271B
                        • Part of subcall function 00ADE3F8: __EH_prolog3_GS.LIBCMT ref: 00ADE3FF
                      • GetVersionExW.KERNEL32 ref: 00AC6F5E
                      • _memset.LIBCMT ref: 00AC6FE0
                      • GetTempPathW.KERNEL32(00000400,?), ref: 00AC6FF5
                      • GetWindowsDirectoryW.KERNEL32(?,00000400), ref: 00AC7020
                        • Part of subcall function 00AC73DD: _memset.LIBCMT ref: 00AC7432
                        • Part of subcall function 00AC73DD: __wsplitpath.LIBCMT ref: 00AC7442
                        • Part of subcall function 00AC73DD: lstrcatW.KERNEL32(?,00B37904), ref: 00AC7456
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD7A3: __EH_prolog3_GS.LIBCMT ref: 00ADD7AD
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memset$ErrorLastlstrcpy$H_prolog3_$FreeString_swscanf$DirectoryPathTempVersionWindows__wsplitpath_malloclstrcatwsprintf
                      • String ID: Msi.DLL$Startup$SupportOS$SupportOSMsi12$SupportOSMsi30$SuppressWrongOS
                      • API String ID: 3706879116-4027240730
                      • Opcode ID: 977e862bc96a73a55ec6a87f89ae54b2e12f8e7ec96887b3d4965cd6083b19bd
                      • Instruction ID: af4307ab9f73c74599975d90d03f52f96ea3a9a238428aa9a37420de818afc86
                      • Opcode Fuzzy Hash: 977e862bc96a73a55ec6a87f89ae54b2e12f8e7ec96887b3d4965cd6083b19bd
                      • Instruction Fuzzy Hash: 9781D4719042199ADB24EBB4CD81FFE72B8AF05304F1046AEE50AE7191EF309B44CF61
                      Function 00B1A559 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 206stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove$lstrcmp$H_prolog3_memset
                      • String ID: GIF87a$GIF89a
                      • API String ID: 3198123400-2918331024
                      • Opcode ID: 58a5d4d389a85c4073bba5088b13ee71aead16ed950854ae75c92e243f15d082
                      • Instruction ID: bb03762b8c18b6da95fd568ad95450486e92188003acb579fa42e1fdc261cb29
                      • Opcode Fuzzy Hash: 58a5d4d389a85c4073bba5088b13ee71aead16ed950854ae75c92e243f15d082
                      • Instruction Fuzzy Hash: 0E61E871A01206EFDF249FA0C885BAAB7F9FF14305F6044AEE59596182E731AE90CB51
                      Function 00AF1F2C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 122windowsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1F36
                      • _memset.LIBCMT ref: 00AF1F56
                        • Part of subcall function 00ABA8C1: __EH_prolog3.LIBCMT ref: 00ABA8C8
                      • ShellExecuteExW.SHELL32(0000003C), ref: 00AF1FE1
                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AF2016
                      • TranslateMessage.USER32(?), ref: 00AF2070
                      • DispatchMessageW.USER32(?), ref: 00AF2079
                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF2083
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF209B
                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AF20B7
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00AF20D2
                      • CloseHandle.KERNEL32(?), ref: 00AF20E9
                        • Part of subcall function 00ABE85C: __EH_prolog3_GS.LIBCMT ref: 00ABE866
                        • Part of subcall function 00ABE85C: GetVersionExW.KERNEL32 ref: 00ABE894
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageWait$H_prolog3_MultipleObjects$CloseCodeDispatchExecuteExitH_prolog3HandleObjectPeekProcessShellSingleTranslateVersion_memset
                      • String ID: <$@
                      • API String ID: 405624937-1426351568
                      • Opcode ID: faebb0ef2ecfff02ff66adf243928d3a2ec1264dc1a8897a3af3c41d9b7133e0
                      • Instruction ID: bd3caec10ce90cf41401da64d77419824426628133d529f008c77cb6b3acf089
                      • Opcode Fuzzy Hash: faebb0ef2ecfff02ff66adf243928d3a2ec1264dc1a8897a3af3c41d9b7133e0
                      • Instruction Fuzzy Hash: 7E512A7194032D9BEB209FA0CD49BE977B8AB14311F1441AAE609A71D1DBB49E84CF91
                      Function 00B191D5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102filewindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32 ref: 00B191E9
                      • CreateRectRgn.GDI32(?,?,?,?), ref: 00B19226
                      • SelectClipRgn.GDI32(00000001,00000000), ref: 00B19234
                      • BitBlt.GDI32(00000001,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00B1925D
                      • PlayMetaFile.GDI32(00000001,?), ref: 00B19269
                      • SelectObject.GDI32(00000001,?), ref: 00B19276
                      • DeleteObject.GDI32(?), ref: 00B19284
                      • GetTickCount.KERNEL32 ref: 00B19290
                      • SelectClipRgn.GDI32(00000001,00000000), ref: 00B192B3
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Select$ClipCountObjectTick$CreateDeleteFileMetaPlayRect
                      • String ID: gfff
                      • API String ID: 9451210-1553575800
                      • Opcode ID: 538754f78a4c9c842d2e509b84346f0950d0656326ad7041ab7bfec3673c3775
                      • Instruction ID: dcd498ddf20ab7678a7b7c7f415d710d077c25aae86005b94845ed3b93b133d5
                      • Opcode Fuzzy Hash: 538754f78a4c9c842d2e509b84346f0950d0656326ad7041ab7bfec3673c3775
                      • Instruction Fuzzy Hash: EF314D31900609EFCB258FA5DD89BEEBBB5FF48700F644418F506B72A0CB76A841DB60
                      Function 00B0A02E Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B0A038
                      • GetModuleHandleW.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot,000002A8,00B08676,00B0AE91,?,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A050
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0A053
                      • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32First,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A08E
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0A091
                      • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32Next,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A0A7
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0A0AA
                      • _memset.LIBCMT ref: 00B0A0D5
                        • Part of subcall function 00B0A18B: __EH_prolog3_GS.LIBCMT ref: 00B0A195
                        • Part of subcall function 00B0A18B: GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,00B0A179,00000000,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A1C5
                        • Part of subcall function 00B0A18B: GetProcAddress.KERNEL32(00000000), ref: 00B0A1CC
                        • Part of subcall function 00B0A18B: OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A1F8
                        • Part of subcall function 00B0A18B: _memset.LIBCMT ref: 00B0A21D
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc$H_prolog3__memset$OpenProcess
                      • String ID: CreateToolhelp32Snapshot$Kernel32.dll$Process32First$Process32Next$kernel32.dll
                      • API String ID: 2047754285-1872946363
                      • Opcode ID: f4fdb7a9851b83d67f84aac616585cd3b29761a6479cee7a6fd684735cdfbf4b
                      • Instruction ID: 56c546a3f58a8b8be08e3e3f7752420fc82c8c98421344ae4d2831f4f1d0c408
                      • Opcode Fuzzy Hash: f4fdb7a9851b83d67f84aac616585cd3b29761a6479cee7a6fd684735cdfbf4b
                      • Instruction Fuzzy Hash: BA313C31A00218AFDB21EBA0CD89BEEBBBCAF06700F5041D9E155B71D2EF705A459F52
                      Function 00ADEB4A Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 287stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADEB54
                        • Part of subcall function 00AD709B: __EH_prolog3.LIBCMT ref: 00AD70A2
                        • Part of subcall function 00AD7112: GetVersionExW.KERNEL32(?,?,?), ref: 00AD714F
                        • Part of subcall function 00AD7112: GetSystemInfo.KERNEL32(?,?,?), ref: 00AD71A1
                        • Part of subcall function 00AB091B: __EH_prolog3.LIBCMT ref: 00AB0922
                        • Part of subcall function 00AB0E46: __EH_prolog3_GS.LIBCMT ref: 00AB0E50
                        • Part of subcall function 00ADC6C9: __EH_prolog3_catch.LIBCMT ref: 00ADC6D0
                        • Part of subcall function 00ADC6C9: lstrcmpW.KERNEL32(?,00B45168,?,?,00B45168,?,?,00000004,00ADEBEE,Startup,Source,00000001,?,00000400,00000452), ref: 00ADC6F8
                        • Part of subcall function 00ADC782: __EH_prolog3_GS.LIBCMT ref: 00ADC78C
                      • FindWindowExW.USER32(000000FD,00000000,IsPrqHook,-00000004), ref: 00ADEE61
                      • lstrlenW.KERNEL32(?), ref: 00ADEEC7
                      • ~_Task_impl.LIBCPMT ref: 00ADEF5F
                        • Part of subcall function 00AD59C8: __EH_prolog3_GS.LIBCMT ref: 00AD59D2
                      • ~_Task_impl.LIBCPMT ref: 00ADEF72
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$H_prolog3Task_impl$FindH_prolog3_catchInfoSystemVersionWindowlstrcmplstrlen
                      • String ID: BetaMarker.dat$EvalMarker.dat$IsPrqHook$KEY$PASSWORD$Source$Startup
                      • API String ID: 4062233923-2891256300
                      • Opcode ID: 72e4a7d76908382aa482dda422d1db4bf6844b44bab2be9137adfff23a1e3d56
                      • Instruction ID: 400b7607137728e66b5b2767f7e1eb32e4666fcf13d085ea995806dc56fc6067
                      • Opcode Fuzzy Hash: 72e4a7d76908382aa482dda422d1db4bf6844b44bab2be9137adfff23a1e3d56
                      • Instruction Fuzzy Hash: A2B1B170A05255AEEB25EB74CD45BFEB7A4AF04304F0401DAE41AAB2E2DF709E85CB50
                      Function 00B19512 Relevance: 21.3, APIs: 14, Instructions: 259windowfileCOMMON
                      Download Yara Rule
                      APIs
                      • BitBlt.GDI32(00B13CDE,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00B18E8A
                      • GetTickCount.KERNEL32 ref: 00B1955D
                      • BitBlt.GDI32(00000001,?,?,?,00000001,?,?,?,00CC0020), ref: 00B195B8
                      • BitBlt.GDI32(00000001,?,?,00000001,?,?,?,?,00CC0020), ref: 00B195E5
                      • BitBlt.GDI32(00000001,?,?,?,00000001,?,?,?,00CC0020), ref: 00B19619
                      • BitBlt.GDI32(00000001,?,?,00000001,?,?,?,?,00CC0020), ref: 00B1964D
                      • BitBlt.GDI32(00000001,?,?,?,00000001,?,?,?,00CC0020), ref: 00B1969A
                      • BitBlt.GDI32(00000001,?,?,00000001,?,?,?,?,00CC0020), ref: 00B196C4
                      • BitBlt.GDI32(00000001,?,?,?,00000001,?,?,?,00CC0020), ref: 00B196F5
                      • BitBlt.GDI32(00000001,?,?,00000001,?,?,?,?,00CC0020), ref: 00B19726
                      • GetTickCount.KERNEL32 ref: 00B19740
                      • PlayMetaFile.GDI32(00B13CDE,00000000), ref: 00B19798
                      • DeleteDC.GDI32(?), ref: 00B197A1
                      • RestoreDC.GDI32(00B13CDE,?), ref: 00B197AB
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CountTick$DeleteFileMetaPlayRestore
                      • String ID:
                      • API String ID: 718445662-0
                      • Opcode ID: ff2a85ab3c491717e5395c6c5604d8d8f6ff3986ee43fa3672a7f4eb525d0608
                      • Instruction ID: f168080a35959cb93eb9ea9fc44eeb745052e9cfab8253853b9bd835248df300
                      • Opcode Fuzzy Hash: ff2a85ab3c491717e5395c6c5604d8d8f6ff3986ee43fa3672a7f4eb525d0608
                      • Instruction Fuzzy Hash: 7391F871A00205AFDF24CB99CC85FFEB7BAFB88710F544558F516E7291DA71AC418B20
                      Function 00AEE77C Relevance: 21.1, APIs: 14, Instructions: 107windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEE786
                      • GetObjectW.GDI32(?,00000018,?), ref: 00AEE798
                      • CreateCompatibleDC.GDI32(00000000), ref: 00AEE7BB
                      • SelectObject.GDI32(00000000,?), ref: 00AEE7CB
                      • GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00AEE7E0
                      • GlobalAlloc.KERNEL32(00000042,00000408), ref: 00AEE7EF
                      • GlobalLock.KERNEL32(00000000), ref: 00AEE7FF
                      • GetSystemPaletteEntries.GDI32(?,00000000,0000000A,00000004), ref: 00AEE89A
                      • GetSystemPaletteEntries.GDI32(?,000000F6,0000000A,000003DC), ref: 00AEE8AB
                      • CreatePalette.GDI32(00000000), ref: 00AEE8AE
                      • DeleteDC.GDI32(?), ref: 00AEE8BA
                      • GetDC.USER32(00000000), ref: 00AEE8D1
                      • CreateHalftonePalette.GDI32(00000000), ref: 00AEE8DA
                      • ReleaseDC.USER32(00000000,00000000), ref: 00AEE8E7
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Palette$Create$EntriesGlobalObjectSystem$AllocColorCompatibleDeleteH_prolog3_HalftoneLockReleaseSelectTable
                      • String ID:
                      • API String ID: 447354755-0
                      • Opcode ID: ac9b861715abd2228290e17102c5740d4597ca4bb25ee58f7a0177c472394e01
                      • Instruction ID: e39c21cf754747ab3f1f6cee163925a83812904b83ea0a66f75931f68428d250
                      • Opcode Fuzzy Hash: ac9b861715abd2228290e17102c5740d4597ca4bb25ee58f7a0177c472394e01
                      • Instruction Fuzzy Hash: 87412BB15002989FC725CF759C84BED7F78EF55304F2480E9EA499B252CB314A86CF65
                      Function 00B19FC0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNEL32(?,00B1709B,PNG,?,?,?,?,?,00B1727F,?,00B1709B,00000000,?,?,?,?), ref: 00B19FE8
                      • FindResourceW.KERNEL32(?,00B1709B,00000002,?,00B1727F,?,00B1709B,00000000,?,?,?,?,?,00B1709B,?), ref: 00B19FF9
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FindResource
                      • String ID: PNG
                      • API String ID: 1635176832-364855578
                      • Opcode ID: 7a6826affbeccfde8d49c73ca4cf3f077ab52c35b0f6c83244c59db8830881cb
                      • Instruction ID: 58c1b9574614afa62893350bb0271637c8ebc74d0b594ffe9244b26b1f2586f3
                      • Opcode Fuzzy Hash: 7a6826affbeccfde8d49c73ca4cf3f077ab52c35b0f6c83244c59db8830881cb
                      • Instruction Fuzzy Hash: 9B31B172602709AFDB215FA4EC49AEFB7ACEF09356F5000A5FD04D3211EB719D6087A1
                      Function 00B08E2E Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 87registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00B08E43
                      • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00B08E53
                      • RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?,?,00000000), ref: 00B08E8C
                      • RegQueryValueExW.ADVAPI32(?,00B45168,00000000,00000000,?,0000000A), ref: 00B08EA4
                      • RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 00B08EC5
                      • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,0000000A), ref: 00B08EDF
                      • __wcstoi64.LIBCMT ref: 00B08F01
                      Strings
                      • .DEFAULT\Control Panel\International, xrefs: 00B08EB8
                      • Locale, xrefs: 00B08ED7
                      • Kernel32.dll, xrefs: 00B08E3E
                      • GetSystemDefaultUILanguage, xrefs: 00B08E4D
                      • .Default\Control Panel\desktop\ResourceLocale, xrefs: 00B08E78
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: OpenQueryValue$AddressHandleModuleProc__wcstoi64
                      • String ID: .DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
                      • API String ID: 2065448255-3798069133
                      • Opcode ID: 1c4ceed5e2070e8a55917b8bbb696a03e65d3bff04feef7736e0295b19a6fbef
                      • Instruction ID: ea7bdfd48a249a61b8e3c61453362ed0c94277a8c724e6370ff13faf74d4bb66
                      • Opcode Fuzzy Hash: 1c4ceed5e2070e8a55917b8bbb696a03e65d3bff04feef7736e0295b19a6fbef
                      • Instruction Fuzzy Hash: 63215E71E0061EAEDB11DBA4CD82EBF7BECEB04748F500469BA01B7191DF709E159BA4
                      Function 00B19800 Relevance: 19.7, APIs: 13, Instructions: 249COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 00B1982C
                      • MulDiv.KERNEL32(?,?,000186A0), ref: 00B19852
                      • MulDiv.KERNEL32(?,?,000186A0), ref: 00B19868
                      • MulDiv.KERNEL32(?,?,000186A0), ref: 00B19A04
                      • MulDiv.KERNEL32(?,?,000186A0), ref: 00B19A14
                      • GdipCreateFromHDC.GDIPLUS(00B17E84,00000000,?,?,?,?,B1696068,?,B1696068,?,?,?,?,00B17E84,?), ref: 00B19A88
                      • GdipSetInterpolationMode.GDIPLUS(00000000,00000007,00B17E84,00000000,?,?,?,?,B1696068,?,B1696068,?,?,?,?,00B17E84), ref: 00B19A96
                      • GdipDrawImageRectI.GDIPLUS(00B17E84,00000000,?,00B1739C,?,00000000,00000000,00000007,00B17E84,00000000,?,?,?,?,B1696068,?), ref: 00B19AB3
                      • GdipDeleteGraphics.GDIPLUS(00B17E84,00B17E84,00000000,?,00B1739C,?,00000000,00000000,00000007,00B17E84,00000000,?,?,?,?,B1696068), ref: 00B19AB9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Gdip$Rect$ClientCreateDeleteDrawFromGraphicsImageInterpolationMode
                      • String ID:
                      • API String ID: 2842912273-0
                      • Opcode ID: d8f666e8880a5a4044a8f94cb71a44cf9aa3a8aadc652879df23c71aa42da54a
                      • Instruction ID: d71add4810d6131abc3dfbc290f736d447f76b5a444bc983c19fe7c0603eda8c
                      • Opcode Fuzzy Hash: d8f666e8880a5a4044a8f94cb71a44cf9aa3a8aadc652879df23c71aa42da54a
                      • Instruction Fuzzy Hash: D2A1F072900219CFCF14CFA8C994AEEBBF5EF48340F6481A9E905B7255D775AD80CBA0
                      Function 00AD5227 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 383COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD5231
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD595: __EH_prolog3_GS.LIBCMT ref: 00ADD59C
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3_String
                      • String ID: %s%d$.$InstanceId$Instances$PackageCode$ProductCode$ProductVersion$UpgradeCode$count$key
                      • API String ID: 2608676048-3806387272
                      • Opcode ID: 9dea0fedbed16f77d9df578fb24fa38997eaa31eb1af24b78101a48f26917ef1
                      • Instruction ID: eb8fd405ce3af12807aa3e5fbb806c75c9d66516590a56e79e22c1419d87f2c1
                      • Opcode Fuzzy Hash: 9dea0fedbed16f77d9df578fb24fa38997eaa31eb1af24b78101a48f26917ef1
                      • Instruction Fuzzy Hash: F5026970D0021AEADB25DBA4CD95BEDB7B4BF55304F1041EAE00AA7292EBB05F84DF51
                      Function 00AE1618 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 383COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE1622
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AB08A9: __EH_prolog3.LIBCMT ref: 00AB08B0
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB09F6: __EH_prolog3.LIBCMT ref: 00AB09FD
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                        • Part of subcall function 00AB1233: __EH_prolog3_GS.LIBCMT ref: 00AB123D
                        • Part of subcall function 00AB1233: SysStringLen.OLEAUT32(?), ref: 00AB1363
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB1372
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB13B7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$ErrorFreeLast$H_prolog3_$H_prolog3$Alloc
                      • String ID: IS_OriginalLauncher:$IS_temp$auto$delayedstart:$extract_all:$installfromweb:$media_path:$no_engine$runfromtemp$tempdisk1folder:
                      • API String ID: 3067009588-744011383
                      • Opcode ID: 6a70b388a4f4058c7867d95b7089c07756cde9ba4ffeef8356f3b24a3746ae05
                      • Instruction ID: 965e2d43e52d4269af7b5dbb07727a0b8d57929b70a47cae0be347ea9ce85741
                      • Opcode Fuzzy Hash: 6a70b388a4f4058c7867d95b7089c07756cde9ba4ffeef8356f3b24a3746ae05
                      • Instruction Fuzzy Hash: AFF1B330904298EEDF24EBA4CE55BEEBBB5AF12300F5441D8E0456B1D3DBB05B49CBA1
                      Function 00AF1B6A Relevance: 19.6, APIs: 13, Instructions: 104threadmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1B71
                      • GetCurrentThread.KERNEL32 ref: 00AF1B88
                      • OpenThreadToken.ADVAPI32(00000000), ref: 00AF1B8F
                      • GetLastError.KERNEL32 ref: 00AF1B9F
                      • GetCurrentProcess.KERNEL32(00000008,?), ref: 00AF1BAE
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00AF1BB5
                      • GetLastError.KERNEL32 ref: 00AF1BBB
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00AF1BDE
                      • GetLastError.KERNEL32 ref: 00AF1BE4
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00AF1C09
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF1C26
                      • EqualSid.ADVAPI32(00000004,?), ref: 00AF1C41
                      • FreeSid.ADVAPI32(?), ref: 00AF1C61
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeH_prolog3_Initialize
                      • String ID:
                      • API String ID: 2153409075-0
                      • Opcode ID: 5dd7f1c21263ab6a029f3f1e995d47e9747ba69d9dbdc5187cc37f1fece856dd
                      • Instruction ID: 763ce5ad903ea47da8bd213e3a825d6c4beb0e1d00612c06b3d6d316fb7c9eb3
                      • Opcode Fuzzy Hash: 5dd7f1c21263ab6a029f3f1e995d47e9747ba69d9dbdc5187cc37f1fece856dd
                      • Instruction Fuzzy Hash: AE312C71A0060DEEDB219FE0DC85EBE7BB8EF08354F644429F641E7190EB359D069B60
                      Function 00AE84F4 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 349registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE84FE
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,00000004), ref: 00AE8767
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_QueryValue
                      • String ID: $ $HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS
                      • API String ID: 2669483599-1164148931
                      • Opcode ID: 9d0cf671f8e582ee29f428b1368ceda7afcf9e3c2276d9e16570274db2a75c06
                      • Instruction ID: 524600ab90a8fb4f26eaa7d30446fbd48f41dc06805e6ff936f7fadec3eb040f
                      • Opcode Fuzzy Hash: 9d0cf671f8e582ee29f428b1368ceda7afcf9e3c2276d9e16570274db2a75c06
                      • Instruction Fuzzy Hash: 9CD19C31E00299EEDF24DB5ACD81BEDB7B4AF11300F2440D9E849A7191DB789E88DF52
                      Function 00AD2983 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 318COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD298D
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AB3F25: __EH_prolog3.LIBCMT ref: 00AB3F2C
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3String$H_prolog3_
                      • String ID: #%d$0$CostFinalize$CostInitialize$Error applying transform '%s' for Costing: %d$Error opening database '%s' for Costing: %d$Error opening package '%s' for Costing: %d$FileCost$TRANSFORMS$msiaction.cpp
                      • API String ID: 117023860-1922979793
                      • Opcode ID: 3dd7988270b50ef4cdcea662c0842ce081adb662204616a1ef7a65731edcd41b
                      • Instruction ID: 8bdca6b3e794e598db61bbb038d340752e14782b21de406567632de3f01835ba
                      • Opcode Fuzzy Hash: 3dd7988270b50ef4cdcea662c0842ce081adb662204616a1ef7a65731edcd41b
                      • Instruction Fuzzy Hash: A7E11671D00228EADB25DF94CD85BEDBBB4AF65304F1400DAE14AA72A1DB705F84DF91
                      Function 00AACBF0 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 317COMMON
                      Download Yara Rule
                      APIs
                      • _wcscmp.LIBCMT ref: 00AACC38
                      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00AACCD0
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FileModuleName_wcscmp
                      • String ID: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}$Files$Folders$NO_KEY_VALUE$_ISMSIDEL.INI
                      • API String ID: 1193818139-2508934686
                      • Opcode ID: 8671b7a29693ec696baa7ef6caaa20cfd89b7133465187085a9495c14fd99edb
                      • Instruction ID: 728a5a19ecaae3ac0fd44d3d61ab7ebe51da781146bb6b6c6270da8e33398434
                      • Opcode Fuzzy Hash: 8671b7a29693ec696baa7ef6caaa20cfd89b7133465187085a9495c14fd99edb
                      • Instruction Fuzzy Hash: 99C171B1904358AEDB21EB64CD49BEEB7B8BF15304F1041E9E549A31C2DB745B88CBA1
                      Function 00B09667 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 256processCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B09671
                      • _memset.LIBCMT ref: 00B0970A
                      • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00B6DA70,?,00000000,00B0A85F,0000000A,00000000), ref: 00B09782
                      • GetLastError.KERNEL32 ref: 00B0979D
                      • _memset.LIBCMT ref: 00B097FD
                      • ShellExecuteExW.SHELL32(0000003C), ref: 00B098CC
                      • WaitForInputIdle.USER32(?,000003E8), ref: 00B09947
                      • GetExitCodeProcess.KERNEL32(?,00B6DA6C), ref: 00B0996B
                      • GetLastError.KERNEL32 ref: 00B09975
                        • Part of subcall function 00AC2F8F: __EH_prolog3_GS.LIBCMT ref: 00AC2F99
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AB5E3D: __EH_prolog3_GS.LIBCMT ref: 00AB5E44
                        • Part of subcall function 00ABF954: __EH_prolog3_GS.LIBCMT ref: 00ABF95B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$FreeProcessString_memset$CodeCreateExecuteExitIdleInputShellWait
                      • String ID: <$D
                      • API String ID: 3263116737-1382654409
                      • Opcode ID: b56b82e4d1ea07972195159bd85e7451abab67308079a85b38ddbc73be4352a1
                      • Instruction ID: 051f1be38a61380ca9c67ff4f8d90fb156f4be977cf8fd03f0fd8807e201a192
                      • Opcode Fuzzy Hash: b56b82e4d1ea07972195159bd85e7451abab67308079a85b38ddbc73be4352a1
                      • Instruction Fuzzy Hash: B6A19275804248EEDF20EFA4CD45BDE7BB8EF56340F104199F9169B292EB705A44CB61
                      Function 00ACD6D7 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • DotNetDelayReboot, xrefs: 00ACD761
                      • Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x, xrefs: 00ACD7E3
                      • Reboot will be deferred, xrefs: 00ACD861
                      • Startup, xrefs: 00ACD77E
                      • System is Win9x or reboot is not being suppressed, reboot will be immediate, xrefs: 00ACD8F4
                      • Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 00ACD96E
                      • msiaction.cpp, xrefs: 00ACD7E9, 00ACD841, 00ACD8D4
                      • InstallerLocation, xrefs: 00ACD9B1
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CurrentDirectoryH_prolog3__memset
                      • String ID: DotNetDelayReboot$InstallerLocation$Reboot will be deferred$Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x$Software\Microsoft\Windows\CurrentVersion\Installer$Startup$System is Win9x or reboot is not being suppressed, reboot will be immediate$msiaction.cpp
                      • API String ID: 277675003-2561541245
                      • Opcode ID: acaf349c48615dbc813d3b032b09d0ac60d2099f651b1acd2f0476d1e020836c
                      • Instruction ID: eb3acd41e9b4ad17bb9bd120975aca70edf8d59198a481f2c7b58df289328f2c
                      • Opcode Fuzzy Hash: acaf349c48615dbc813d3b032b09d0ac60d2099f651b1acd2f0476d1e020836c
                      • Instruction Fuzzy Hash: 68818D70D05218AEEF60EB64CD8ABEDB7B8AB15300F5001E9E109A71E1DBB44F89CB51
                      Function 00AF1DA0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132processwindowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1DAA
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      • _memset.LIBCMT ref: 00AF1DD2
                      • _memset.LIBCMT ref: 00AF1DE3
                      • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00AF1E6E
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00AF1EA0
                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AF1EC5
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00AF1ED2
                      • CloseHandle.KERNEL32(?,?,?,?,?,00000001,000000B8,00AC72F4,?,00000001), ref: 00AF1EE3
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLastProcess_memset$CloseCodeCreateExitH_prolog3_HandleMessageMultipleObjectsPeekWait
                      • String ID: Attempting to launch: %s$Launch result %d, exit code %d$utils.cpp
                      • API String ID: 3068613049-2353317557
                      • Opcode ID: ee9f470c51fe01c5608fb054fcda92b0691d2100bde5f172acaf31cd3f28fff7
                      • Instruction ID: 2b098690d44acac3da82c421832f0bb025e68077f957e71488c73534ffd8202d
                      • Opcode Fuzzy Hash: ee9f470c51fe01c5608fb054fcda92b0691d2100bde5f172acaf31cd3f28fff7
                      • Instruction Fuzzy Hash: 604127B2C0021CEEDB24DBE4CE859EEB7B8AB19344F10416AF615A7291EB705E05CB61
                      Function 00AA1A20 Relevance: 18.2, APIs: 12, Instructions: 160fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      • CreateFileW.KERNEL32(-00000004,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000001,6D9FB08F), ref: 00AA1A86
                      • GetLastError.KERNEL32(?,?,00000001,6D9FB08F), ref: 00AA1A99
                      • SysFreeString.OLEAUT32(?), ref: 00AA1AB5
                      • SysFreeString.OLEAUT32(?), ref: 00AA1AC0
                      • SetLastError.KERNEL32(?), ref: 00AA1AE0
                      • ReadFile.KERNEL32(00000000,00000000,00000002,00000000,00000000), ref: 00AA1B18
                      • WriteFile.KERNEL32(00000000,00000000,00000002,?), ref: 00AA1B5B
                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00AA1B92
                      • GetLastError.KERNEL32 ref: 00AA1BB3
                      • SysFreeString.OLEAUT32(?), ref: 00AA1BC9
                      • SysFreeString.OLEAUT32(?), ref: 00AA1BD4
                      • SetLastError.KERNEL32(?), ref: 00AA1BF4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FileFreeString$Write$CreateRead
                      • String ID:
                      • API String ID: 2306213392-0
                      • Opcode ID: 6b2c5f74a45ad3662978297dd82b23dbbc088f7b84932cb5cca6799dc93255ba
                      • Instruction ID: 41b5dd9809524b890f54615d9d57f913b8927431d56e6297b8b0df0db78f4d0a
                      • Opcode Fuzzy Hash: 6b2c5f74a45ad3662978297dd82b23dbbc088f7b84932cb5cca6799dc93255ba
                      • Instruction Fuzzy Hash: 70510971A00648EFEB20DFA4DC45BADBBB8FF05704F204029F515BB2A1DBB4A955CB64
                      Function 00AE57BC Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 498COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE57C6
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AE6CB0: __EH_prolog3.LIBCMT ref: 00AE6CB7
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AE4FB0: __EH_prolog3_GS.LIBCMT ref: 00AE4FB7
                        • Part of subcall function 00AE6C82: __EH_prolog3.LIBCMT ref: 00AE6C89
                        • Part of subcall function 00AB0A27: __EH_prolog3_GS.LIBCMT ref: 00AB0A2E
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AE71C1: __EH_prolog3_GS.LIBCMT ref: 00AE71C8
                        • Part of subcall function 00AEBF77: __EH_prolog3_catch_GS.LIBCMT ref: 00AEBF81
                        • Part of subcall function 00AE50A7: __EH_prolog3.LIBCMT ref: 00AE50AE
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString$H_prolog3_catch_
                      • String ID: $..\..\..\Shared\Setup\SetupPrereqMgr.cpp$Checking setup prerequisite '%s'$Features do not match for prerequisite '%s'$Features match for prerequisite '%s'$ISSetupPrerequisites$Marking prerequisite '%s' for install during ADMIN install$Prerequisite '%s' scheduled before feature selection$Skipping prerequisite '%s' because it was installed before the reboot
                      • API String ID: 2259271565-2275726802
                      • Opcode ID: cf4a3ea7682fd1d71ca49c78b986fc90a9b49bb11091946859996bb2af213c50
                      • Instruction ID: 52c03d0512c849c9b23a40b7419d20ce6beb15b5b785b55483369ffd928a05ed
                      • Opcode Fuzzy Hash: cf4a3ea7682fd1d71ca49c78b986fc90a9b49bb11091946859996bb2af213c50
                      • Instruction Fuzzy Hash: EE224931D04298EEDB25DBA4CE55BEDBBF8AF15304F1040D9E049A7182DB746B88DF61
                      Function 00ADD9DA Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 446COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch_GS.LIBCMT ref: 00ADD9E4
                        • Part of subcall function 00ADCDA8: __EH_prolog3_GS.LIBCMT ref: 00ADCDB2
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_H_prolog3_catch_
                      • String ID: ($2$InstalledProductName$PackageCode$Upgrade check: checking product code %s$Upgrade check: later product version already installed$Upgrade check: obtained package code %s from machine, current package code is %s$VersionString$session.cpp
                      • API String ID: 2112800272-2579191198
                      • Opcode ID: cad3480c1b315e94f2b9f60905e2e73cc1495db3ea2edfdb8111fe326d08aa91
                      • Instruction ID: b7bc7e1b17411d51a8522f4a4c3f8b97674a25263014c93d94572775e87ce7be
                      • Opcode Fuzzy Hash: cad3480c1b315e94f2b9f60905e2e73cc1495db3ea2edfdb8111fe326d08aa91
                      • Instruction Fuzzy Hash: 49128070901248DFDF15DBA4CA46BEDBBB4AF16304F1040E9E146AB292DBB45F48DFA1
                      Function 00AA5820 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 378COMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00AA5923
                      • _memmove.LIBCMT ref: 00AA595C
                      • _memmove.LIBCMT ref: 00AA5999
                      • _memmove.LIBCMT ref: 00AA5B96
                        • Part of subcall function 00AA6510: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00AA6559
                        • Part of subcall function 00AA6510: _memmove.LIBCMT ref: 00AA6581
                        • Part of subcall function 00AA6510: SysFreeString.OLEAUT32(00000000), ref: 00AA6591
                      • _memmove.LIBCMT ref: 00AA5A16
                      • _memmove.LIBCMT ref: 00AA5A9A
                      • _memmove.LIBCMT ref: 00AA5B17
                      • _memmove.LIBCMT ref: 00AA5B5A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove$String$AllocFree
                      • String ID: invalid string position$string too long
                      • API String ID: 4249169437-4289949731
                      • Opcode ID: 68378d3cde23021060156fefb733d958fb60d5def125fe8dd06a2625635b3a67
                      • Instruction ID: 065ee58a86892b4608524e7add28fccda59f4d098b449d601ef144f70207dc38
                      • Opcode Fuzzy Hash: 68378d3cde23021060156fefb733d958fb60d5def125fe8dd06a2625635b3a67
                      • Instruction Fuzzy Hash: 8BD15171B00A09DBCB24CF68C9C09AEB7FAFF897457604519E845CB291E730ED55CBA8
                      Function 00AB96EF Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 270libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB96F9
                      • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00AB977E
                      • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 00AB985D
                        • Part of subcall function 00ADCDA8: __EH_prolog3_GS.LIBCMT ref: 00ADCDB2
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$AddressFileH_prolog3ModuleNameProc
                      • String ID: Could not find entry point in ISSetup.dll$ISSetup.dll$IsMsiHelper.cpp$Launching InstallScript engine: %s, %s, %d$RunISMSISetup$setup.exe$w
                      • API String ID: 1938318566-2138724763
                      • Opcode ID: 19c03fc341ffed6dc844c8614eb6b587992782afe7b760384326829c8c708053
                      • Instruction ID: 613e3aa9257c68b94e691f1c19c2df0cc10f2ab1f2df7f46f2e57fd3efeebd1c
                      • Opcode Fuzzy Hash: 19c03fc341ffed6dc844c8614eb6b587992782afe7b760384326829c8c708053
                      • Instruction Fuzzy Hash: 2FC16770D01218EEDB24DFA4CD85BEDBBB4BF16300F2441E9E189A7292DBB05A85DF51
                      Function 00B0EDD6 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 161stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B0EDDD
                      • SetLastError.KERNEL32(00002EE6,?,00000000), ref: 00B0EE41
                      • lstrcmpiW.KERNEL32(?,?,?,00000000), ref: 00B0EEB1
                      • lstrlenW.KERNEL32(?), ref: 00B0EEEA
                      • lstrcpyW.KERNEL32(00000000,?), ref: 00B0EF10
                      • lstrlenW.KERNEL32(?,?,00000000), ref: 00B0EF19
                      • lstrcpyW.KERNEL32(00000000,?), ref: 00B0EF41
                      • lstrcatW.KERNEL32(?,?), ref: 00B0EF52
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcpylstrlen$ErrorH_prolog3Lastlstrcatlstrcmpi
                      • String ID: <$GET
                      • API String ID: 152113618-427699995
                      • Opcode ID: 4eb18b588eee615e725d66160f2e39aafbd02f497ca3ecc3b572c8fd55e70225
                      • Instruction ID: 69b429f0ca3a571042f041b5474bbd5666b8a9571846517160c61c69197a3111
                      • Opcode Fuzzy Hash: 4eb18b588eee615e725d66160f2e39aafbd02f497ca3ecc3b572c8fd55e70225
                      • Instruction Fuzzy Hash: 0F516C3290011AEFDF159FA0CD49ABF7FBAFF08340F144469FA15AA1A1DB718911DBA0
                      Function 00B16D10 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 119libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00B05DAE: __EH_prolog3_GS.LIBCMT ref: 00B05DB5
                        • Part of subcall function 00B05DAE: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00B087CD,?,00000000,00000068,00ACE68C,?,00B6C058,?,00000000,00000000,?), ref: 00B05E0D
                        • Part of subcall function 00B05DAE: __CxxThrowException@8.LIBCMT ref: 00B05E3A
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC449: __EH_prolog3.LIBCMT ref: 00AAC450
                        • Part of subcall function 00AAC449: GetLastError.KERNEL32(00000004,00AAC6DF,00000000,?,00000000,00000004,00AAF608,-00000004,?,00000001,?,00000000), ref: 00AAC472
                        • Part of subcall function 00AAC449: SetLastError.KERNEL32(?,00000000,?), ref: 00AAC4B3
                        • Part of subcall function 00AC58F1: __EH_prolog3.LIBCMT ref: 00AC58F8
                      • LoadLibraryW.KERNEL32(?,00B3C124,Shcore.dll,?,00000000,00000000,00000001,?,?), ref: 00B16DCD
                      • GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00B16DE5
                      • MonitorFromPoint.USER32(00000001,00000001,00000002), ref: 00B16DFB
                      • GetDC.USER32(00000000), ref: 00B16E30
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B16E3F
                      • ReleaseDC.USER32(00000000,00000000), ref: 00B16E4E
                      • MulDiv.KERNEL32(00000060,00000064,00000060), ref: 00B16E5E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3$FreeString$AddressCapsDeviceDirectoryException@8FromH_prolog3_LibraryLoadMonitorPointProcReleaseThrowWindows
                      • String ID: GetDpiForMonitor$Shcore.dll$`
                      • API String ID: 2583275590-2923232758
                      • Opcode ID: 6272d6afbb16a28f5c1b4a2e91b19595f0acec67aceebbfc6d001863734d48a4
                      • Instruction ID: 1be8be0bfa42f0964c5c02e6ee98336965f034f9e29351753a8369104cc79eb8
                      • Opcode Fuzzy Hash: 6272d6afbb16a28f5c1b4a2e91b19595f0acec67aceebbfc6d001863734d48a4
                      • Instruction Fuzzy Hash: 92418D7AA00758EEDB21DBA4CD45BDEBBF8FF45B00F100199E505A7280DBB05A44CB61
                      Function 00AC04F1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104COMMON
                      Download Yara Rule
                      APIs
                      • CharNextW.USER32 ref: 00AC04F2
                      • CharNextW.USER32 ref: 00AC0549
                      • CharNextW.USER32(00000000), ref: 00AC054C
                        • Part of subcall function 00ADAEB4: _memset.LIBCMT ref: 00ADAF12
                        • Part of subcall function 00ADAEB4: _memset.LIBCMT ref: 00ADAF2D
                      • CharNextW.USER32 ref: 00AC058E
                      • CharNextW.USER32(00000000), ref: 00AC0591
                      • CharNextW.USER32 ref: 00AC05D3
                      • CharNextW.USER32(00000000), ref: 00AC05D6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext$_memset
                      • String ID: )$/uninst$uninst
                      • API String ID: 2160127187-3448745154
                      • Opcode ID: 02ef02e05575a8a901e2de0a6823b67964a19d5ae31ed6a5578d7ccdc8401709
                      • Instruction ID: 1b10b7f50f029d2a1afbc1a62dcb232a8bbf55950c41cf143f8a884f43d6062e
                      • Opcode Fuzzy Hash: 02ef02e05575a8a901e2de0a6823b67964a19d5ae31ed6a5578d7ccdc8401709
                      • Instruction Fuzzy Hash: 04319EB0944618EFDB28D764CD98FEE7B789F16310F144199E00AA7191DB70AF84CFA1
                      Function 00B15160 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetPropW.USER32(?,PROP_STAT_PSKIN), ref: 00B15181
                      • GetPropW.USER32(?,PROP_STAT_OLDPROC), ref: 00B1518C
                      • GetDC.USER32(?), ref: 00B1519B
                      • GetWindowRect.USER32(?,?), ref: 00B151A8
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00B151BB
                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00B151EE
                      • ReleaseDC.USER32(?,00000000), ref: 00B151F6
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 00B1520B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Window$Prop$CallPointsProcRectRelease
                      • String ID: PROP_STAT_OLDPROC$PROP_STAT_PSKIN
                      • API String ID: 880400865-2156214881
                      • Opcode ID: 95573792adb13a68487bf7a2b3abcc7d30ca1e8663cc1406a6d285218b8db9aa
                      • Instruction ID: d02e52a7db124e81a6b7f0c404f6728e75ec47bc5a958bb554f7fd76ddcb0025
                      • Opcode Fuzzy Hash: 95573792adb13a68487bf7a2b3abcc7d30ca1e8663cc1406a6d285218b8db9aa
                      • Instruction Fuzzy Hash: 8421FC75900208BFDB10DFA9DC89EAFBBBDFB48711F208459F905A7251CB74A950CBA0
                      Function 00B16ED0 Relevance: 16.8, APIs: 11, Instructions: 271COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000001), ref: 00B16F21
                      • DestroyWindow.USER32(00000001,?,?,00000000,00B305AB,000000FF,?,00B165F5,?,?,00000002,?,00000000,00000000,00000001), ref: 00B16F2E
                      • IsWindow.USER32(000000FF), ref: 00B16F5E
                      • CreateWindowExW.USER32(00000020,00000000,40000000,00000000,00000000,00000000,00000000,000000FF,00000000,?), ref: 00B16FD0
                      • IsWindow.USER32(00000000), ref: 00B16FDA
                      • GetWindow.USER32(?,00000003), ref: 00B16FFE
                      • SetWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000003), ref: 00B17021
                      • MulDiv.KERNEL32(00000000,00000000,?), ref: 00B17168
                      • MulDiv.KERNEL32(00000000,00000000,?), ref: 00B1718B
                      • MoveWindow.USER32(00000000,?,?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00B171DA
                      • ShowWindow.USER32(00000000,00000000), ref: 00B171E5
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Window$CreateDestroyMoveShow
                      • String ID:
                      • API String ID: 3486018820-0
                      • Opcode ID: 534f3ee9b0b58bcfe88a9d135b15532e79156285f061ff17f797718954657f6c
                      • Instruction ID: 8ab39e4c9b123233337e54a7d21731e2ed238ca4aa787a7529c85154f9fd3c85
                      • Opcode Fuzzy Hash: 534f3ee9b0b58bcfe88a9d135b15532e79156285f061ff17f797718954657f6c
                      • Instruction Fuzzy Hash: 55B13771A44204AFDB14DF64D995BEEBBF5EF08300F648199F909AB295DB35D880CBA0
                      Function 00AD94E8 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 453stringregistryCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcmpiW.KERNEL32(?,Delete,?,6D9FB08F,?,00000000,00000000,?,00B287C5,000000FF,?,00AD9320,?,00000000,00000000,00000000), ref: 00AD9575
                      • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,00B287C5,000000FF,?,00AD9320,?,00000000,00000000,00000000,?,?), ref: 00AD958C
                      • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,00B287C5,000000FF,?,00AD9320,?,00000000,00000000,00000000,?), ref: 00AD967C
                      • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,00B287C5,000000FF,?,00AD9320,?,00000000,00000000,00000000,?,?), ref: 00AD96A4
                        • Part of subcall function 00AD8D65: CharNextW.USER32(?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F,?,?,?,?,?,00B2867E), ref: 00AD8DA0
                        • Part of subcall function 00AD8D65: CharNextW.USER32(?,?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F), ref: 00AD8E26
                        • Part of subcall function 00AD8D65: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F), ref: 00AD8DBD
                        • Part of subcall function 00AD8D65: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F), ref: 00AD8DCB
                        • Part of subcall function 00AD8D65: CharNextW.USER32(00000027,00000000,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F), ref: 00AD8E45
                      • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?), ref: 00AD97B3
                        • Part of subcall function 00AA1410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                        • Part of subcall function 00AA1410: RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                        • Part of subcall function 00AA1410: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00AA144B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext$lstrcmpi$AddressCloseDeleteHandleModuleProcValue
                      • String ID: Delete$ForceRemove$NoRemove$Val
                      • API String ID: 3600369491-1781481701
                      • Opcode ID: ab6ebe1a45c784753c7292ac399bbf3d65f67e60cfcee31bb49c14a9e07ff111
                      • Instruction ID: eddacec1120c05b7185e22f2a71a22f0242b5144bff8a914ffe76dabd462d8ab
                      • Opcode Fuzzy Hash: ab6ebe1a45c784753c7292ac399bbf3d65f67e60cfcee31bb49c14a9e07ff111
                      • Instruction Fuzzy Hash: 3AF19131D01229AADF35DF649D59BAEB7B4AB15750F0001ABE80AE7391EB34CF84CB51
                      Function 00AD9DFA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 262COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD9E04
                        • Part of subcall function 00AD7F97: __EH_prolog3.LIBCMT ref: 00AD7F9E
                        • Part of subcall function 00AD8C93: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,?,00AD7EE5,?,?,00000000), ref: 00AD8C98
                        • Part of subcall function 00AD8C93: GetLastError.KERNEL32(?,00AD7EE5,?,?,00000000), ref: 00AD8CA2
                      • GetModuleFileNameW.KERNEL32(00AA0000,?,00000104), ref: 00AD9E86
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00AD9EE1
                      • __EH_prolog3_GS.LIBCMT ref: 00AD9FD6
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000A64), ref: 00ADA0B9
                      • GetModuleFileNameW.KERNEL32(00AA0000,?,00000104), ref: 00ADA05B
                        • Part of subcall function 00AD831A: __EH_prolog3.LIBCMT ref: 00AD8321
                        • Part of subcall function 00AD831A: EnterCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00AD8339
                        • Part of subcall function 00AD831A: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00AD8358
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Module$CriticalSection$FileH_prolog3H_prolog3_HandleName$CountEnterErrorInitializeLastLeaveSpin
                      • String ID: Module$Module_Raw$REGISTRY
                      • API String ID: 3285820555-549000027
                      • Opcode ID: 5e7e8221e47b0efec6966fd6adc24bc425875d9d6465621f1b9b38e513d3a935
                      • Instruction ID: 08dfafd084fe1c4ca6ebb348904c80b760444cd097d5c30f01ac45550d70e928
                      • Opcode Fuzzy Hash: 5e7e8221e47b0efec6966fd6adc24bc425875d9d6465621f1b9b38e513d3a935
                      • Instruction Fuzzy Hash: 70A1A072A00328DADB20EBA4DD40BEE77B8AF15710F1441A7E94BA7241DB75DF44CB62
                      Function 00B15870 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 243COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,6D9FB08F,?,?,?), ref: 00B158DD
                      • SetLastError.KERNEL32(00B36418,?,?,?), ref: 00B15909
                      • GetLastError.KERNEL32(?,?,?), ref: 00B15920
                      • SetLastError.KERNEL32(00B36418,?,?,?), ref: 00B15958
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID: -%04x$ALL
                      • API String ID: 2425351278-2812642467
                      • Opcode ID: 1fb01d23e76b95e3043da23cabb86914f04ef9e2345ca98e169026e054855bdb
                      • Instruction ID: c092f79d36584c220a7bf06c560730c08e6dd21b59a257aeeeabaf9bab43a0dd
                      • Opcode Fuzzy Hash: 1fb01d23e76b95e3043da23cabb86914f04ef9e2345ca98e169026e054855bdb
                      • Instruction Fuzzy Hash: FAB12975D00218EFDB20DFA4C945BEDBBF8EF14300F5041A9E51AA7291EB70AA84CF61
                      Function 00AF1509 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 179filelibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1513
                        • Part of subcall function 00B0B060: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00AF1540,000000BC,00AC6E23,?,00B3C124,00000000,?,?,?,?), ref: 00B0B073
                        • Part of subcall function 00B0B060: GetProcAddress.KERNEL32(00000000), ref: 00B0B07A
                        • Part of subcall function 00B0B060: GetCurrentProcess.KERNEL32(00000000,?,?,00AF1540,000000BC,00AC6E23,?,00B3C124,00000000,?,?,?,?), ref: 00B0B08A
                      • CreateFileW.KERNEL32(00000015,80000000,00000001,00000000,00000003,00000080,00000000,000000BC,00AC6E23,?,00B3C124,00000000,?,?,?,?), ref: 00AF156E
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 00AF15AE
                      • GetProcAddress.KERNEL32(00000000), ref: 00AF15B5
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      • GetFinalPathNameByHandleW, xrefs: 00AF15A4
                      • \\?\, xrefs: 00AF165F
                      • utils.cpp, xrefs: 00AF1727
                      • Corrected file path: new path is '%s' (was this on localappdata in system context? old: '%s'), xrefs: 00AF1721
                      • kernel32.dll, xrefs: 00AF15A9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressErrorFreeHandleLastModuleProcString$CreateCurrentFileH_prolog3H_prolog3_Process
                      • String ID: Corrected file path: new path is '%s' (was this on localappdata in system context? old: '%s')$GetFinalPathNameByHandleW$\\?\$kernel32.dll$utils.cpp
                      • API String ID: 2316756493-2043974176
                      • Opcode ID: ce9c5cf22e7a5de3fd9800a9afbc9cbc5b4409661c6b63629fa07f7c89b09303
                      • Instruction ID: 8e890518c55b15951710ab5a7584c17a003b387cd0c8a3a9c2e27de99f5f6da9
                      • Opcode Fuzzy Hash: ce9c5cf22e7a5de3fd9800a9afbc9cbc5b4409661c6b63629fa07f7c89b09303
                      • Instruction Fuzzy Hash: 38713F70A00358EEDF21DBA4CD95BEEB7B8AF16304F2440E9E149A7191DB705A48DF62
                      Function 00ACA085 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 153stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACA08F
                        • Part of subcall function 00AC5067: __EH_prolog3_GS.LIBCMT ref: 00AC506E
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      • lstrcpyW.KERNEL32(?,?,0000002C,00000000,?,00000001,000002B4,00AD1E05,00000002,?,00B36418,?,?,00000001,00000000,dotnetfx.exe), ref: 00ACA135
                      • lstrcatW.KERNEL32(?,langpack20.exe), ref: 00ACA15A
                      • lstrcpyW.KERNEL32(?,?,?,00B3C124,00000001,00000000,?,?,00000001), ref: 00ACA1D2
                      • lstrcatW.KERNEL32(?,vjredist20-LP.exe), ref: 00ACA1F7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Lastlstrcatlstrcpy
                      • String ID: langpack.exe$langpack20.exe$vjredist-LP.exe$vjredist20-LP.exe
                      • API String ID: 479913987-1679877701
                      • Opcode ID: 65a25af0f8fa4a0b54b4ca1cb3f5ef9c87c830d8486c8d0c0adc21067d86aa1a
                      • Instruction ID: 4b5abe972302ddadaa083b51d09377855d38ec3d80a6f2e2f57d58b3d22dbb81
                      • Opcode Fuzzy Hash: 65a25af0f8fa4a0b54b4ca1cb3f5ef9c87c830d8486c8d0c0adc21067d86aa1a
                      • Instruction Fuzzy Hash: 6E514C71A4021CEEDF60DB64CD89BEEB7B8AB15304F2042E9E10AA7191DB709F85CF51
                      Function 00ADD2D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADD2DA
                      • _memset.LIBCMT ref: 00ADD306
                        • Part of subcall function 00ADC6C9: __EH_prolog3_catch.LIBCMT ref: 00ADC6D0
                        • Part of subcall function 00ADC6C9: lstrcmpW.KERNEL32(?,00B45168,?,?,00B45168,?,?,00000004,00ADEBEE,Startup,Source,00000001,?,00000400,00000452), ref: 00ADC6F8
                      • wsprintfW.USER32 ref: 00ADD342
                      • CharNextW.USER32(?), ref: 00ADD355
                      • CharNextW.USER32(00000000), ref: 00ADD358
                        • Part of subcall function 00AAD24B: __EH_prolog3_GS.LIBCMT ref: 00AAD252
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharErrorH_prolog3_LastNext$H_prolog3_catch_memsetlstrcmpwsprintf
                      • String ID: %#x$C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}$Setup.bmp$Type
                      • API String ID: 539155021-111927728
                      • Opcode ID: 1712591500e2e656fdac52698bac8dc74a46a43f49c57c3a0f028cef30ae8fc9
                      • Instruction ID: 6cb973f69697a9f75d2fabc0497f9001dc4f997d8c3c9ef34cd29632ad69dc27
                      • Opcode Fuzzy Hash: 1712591500e2e656fdac52698bac8dc74a46a43f49c57c3a0f028cef30ae8fc9
                      • Instruction Fuzzy Hash: 974195B1A44318ABDB20EB64CD85EEE7BBCEF45710F0085D6F60AA7191DB705B84CB91
                      Function 00AC026A Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 77stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: __wcsnicmplstrcmpi
                      • String ID: %$/removeonly$reboot$removeasmajorupgrade$runas$runfromtemp$runprerequisites
                      • API String ID: 164062620-996447646
                      • Opcode ID: be4f3df7a510a29c8f6f98be62d9cecd0a32c225eea41864ce97cfb4b8656c2a
                      • Instruction ID: 970b2b358b11724b5df18618f930f6feb8106413d65e258d0aa5940e7d31b016
                      • Opcode Fuzzy Hash: be4f3df7a510a29c8f6f98be62d9cecd0a32c225eea41864ce97cfb4b8656c2a
                      • Instruction Fuzzy Hash: 41210534A44619EDEB24A730CE96FFE72ACDF12310F2401E9F501A10D2EF318E81CA64
                      Function 00AACB33 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72windowregistryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(0000000C,InstallShieldMSIDelete10), ref: 00AACB60
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00AACB6F
                      • GetStockObject.GDI32(00000004), ref: 00AACB7A
                      • RegisterClassW.USER32(00000003), ref: 00AACB91
                      • CreateWindowExW.USER32(00000000,InstallShieldMSIDelete10,InstallShieldMSIDelete10,80000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000C,?), ref: 00AACBB5
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AACBE2
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Load$ClassCreateCursorIconMessageObjectRegisterStockWindow
                      • String ID: InstallShieldMSIDelete10
                      • API String ID: 195796534-324135598
                      • Opcode ID: 3c478bffce0e9831e316c102ba3dda0b4871d56b575a9db493cd05f2727f5835
                      • Instruction ID: 97db0de68771cd6d177e55ea60e7ba37cde4b67129e07b73a67c99a2301faa18
                      • Opcode Fuzzy Hash: 3c478bffce0e9831e316c102ba3dda0b4871d56b575a9db493cd05f2727f5835
                      • Instruction Fuzzy Hash: 70113AB2D00219AFEB209FE5DC89DDEBBBCEB09755F204026F501E3250DB7599458B70
                      Function 00AD6AF8 Relevance: 15.3, APIs: 10, Instructions: 262windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD6AFF
                      • GetDlgItem.USER32(?,00000000), ref: 00AD6B6E
                      • SendMessageW.USER32(00000000), ref: 00AD6B71
                      • GetDlgItem.USER32(?,00000000), ref: 00AD6B97
                      • SendMessageW.USER32(00000000), ref: 00AD6B9A
                      • GetDlgItem.USER32(?,00000000), ref: 00AD6C2A
                      • SendMessageW.USER32(00000000), ref: 00AD6C31
                      • EndDialog.USER32(?,00000002), ref: 00AD6C47
                      • SetWindowTextW.USER32(?,-00000004), ref: 00AD6C98
                      • DeleteObject.GDI32(00000040), ref: 00AD6E27
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ItemMessageSend$DeleteDialogH_prolog3_ObjectTextWindow
                      • String ID:
                      • API String ID: 804393631-0
                      • Opcode ID: 5fda310848d63f1104ec2c99d072768fd6edb52ac8de08a958309fdb3ce9ec1b
                      • Instruction ID: c5c8ce33c814facaae13e65a8b57a9f3f64f1fb473f5a9127fd48f19a2b75beb
                      • Opcode Fuzzy Hash: 5fda310848d63f1104ec2c99d072768fd6edb52ac8de08a958309fdb3ce9ec1b
                      • Instruction Fuzzy Hash: 6F912CB1501104EFDB04EFA4DD89D6E7BB9EF4A306B1004A5F502AB6A1CB79AD41CF52
                      Function 00AFE36F Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                      Download Yara Rule
                      APIs
                      • __lock.LIBCMT ref: 00AFE37D
                        • Part of subcall function 00AFF36A: __mtinitlocknum.LIBCMT ref: 00AFF37C
                        • Part of subcall function 00AFF36A: EnterCriticalSection.KERNEL32(00000000,?,00AF7AE5,0000000D), ref: 00AFF395
                      • __calloc_crt.LIBCMT ref: 00AFE38E
                        • Part of subcall function 00AF77AF: __calloc_impl.LIBCMT ref: 00AF77BE
                        • Part of subcall function 00AF77AF: Sleep.KERNEL32(00000000,?,00AF7A55,00000001,000003BC), ref: 00AF77D5
                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00AFE3A9
                      • GetStartupInfoW.KERNEL32(?,00B5DA38,00000064,00AF6B37,00B5D788,00000014), ref: 00AFE402
                      • __calloc_crt.LIBCMT ref: 00AFE44D
                      • GetFileType.KERNEL32(00000001), ref: 00AFE494
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00AFE4CD
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                      • String ID:
                      • API String ID: 1426640281-0
                      • Opcode ID: eb63d0140b175d2798f06100c7cd4fb3638c883a5f633bfa7dc22567b18835f6
                      • Instruction ID: 317aa38bd840a42f2f0da6457a99cec6effe86a2eab0a18faeb9019b7146d420
                      • Opcode Fuzzy Hash: eb63d0140b175d2798f06100c7cd4fb3638c883a5f633bfa7dc22567b18835f6
                      • Instruction Fuzzy Hash: 0981C2719056598FDB24CFA8C8405BDBBF0AF09324B24426DE5A6AB3E1DB35D803CB55
                      Function 00AA26D0 Relevance: 15.1, APIs: 10, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA2735
                      • SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00AA2795
                      • GetLastError.KERNEL32 ref: 00AA27BE
                      • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00AA281E
                      • GetLastError.KERNEL32 ref: 00AA283E
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA288A
                      • GetLastError.KERNEL32 ref: 00AA2899
                      • SysFreeString.OLEAUT32(?), ref: 00AA28B3
                      • SysFreeString.OLEAUT32(?), ref: 00AA28C0
                      • SetLastError.KERNEL32(?), ref: 00AA28E4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID:
                      • API String ID: 2425351278-0
                      • Opcode ID: afeb58d2d568c3d3c057dc40b58ae125b39ded7680331af0461e07392820411e
                      • Instruction ID: 9307ceb52bb5880f533d5b2b829201fbabfba9cfe04c195262d35c8d661d4eaf
                      • Opcode Fuzzy Hash: afeb58d2d568c3d3c057dc40b58ae125b39ded7680331af0461e07392820411e
                      • Instruction Fuzzy Hash: F45114B1508740AFD720CF29C944B0ABBF4FF89318F104A1DE5999B6A1D7B6E904CB86
                      Function 00AB4947 Relevance: 15.1, APIs: 10, Instructions: 138filethreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB4951
                        • Part of subcall function 00AB4C02: lstrlenW.KERNEL32(?), ref: 00AB4C0D
                      • CopyFileW.KERNEL32(?,?,00000000,00000830,00AC7E19,?,?), ref: 00AB496C
                      • _memset.LIBCMT ref: 00AB498D
                      • CreateThread.KERNEL32(00000000,00000000,00AB4DC9,?,00000000,?), ref: 00AB4A20
                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,00000004), ref: 00AB4A4B
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB4A92
                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AB4AA7
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MultipleObjectsWait$CopyCreateFileH_prolog3_MessagePeekThread_memsetlstrlen
                      • String ID:
                      • API String ID: 4111908098-0
                      • Opcode ID: b9af0215299386cdd9b98efe419c0f498360cc04159b4f01c77d7821df0bb452
                      • Instruction ID: 8e7b13fca132b4491898381dd9cbd9a4313e227b9badeac045a106e7906c993b
                      • Opcode Fuzzy Hash: b9af0215299386cdd9b98efe419c0f498360cc04159b4f01c77d7821df0bb452
                      • Instruction Fuzzy Hash: 0241C471940618ABDB20AB708D85BEE77BCFF48710F1085A8F656A7283DF305E81CB90
                      Function 00B19BD0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 242fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAC449: __EH_prolog3.LIBCMT ref: 00AAC450
                        • Part of subcall function 00AAC449: GetLastError.KERNEL32(00000004,00AAC6DF,00000000,?,00000000,00000004,00AAF608,-00000004,?,00000001,?,00000000), ref: 00AAC472
                        • Part of subcall function 00AAC449: SetLastError.KERNEL32(?,00000000,?), ref: 00AAC4B3
                      • __wcsnicmp.LIBCMT ref: 00B19C86
                      • __wcsnicmp.LIBCMT ref: 00B19CDF
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B19D72
                      • GetFileSize.KERNEL32(00000000,?), ref: 00B19D95
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B19DD2
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$ErrorLast__wcsnicmp$CreateH_prolog3ReadSize
                      • String ID: .bmp$.dll$.wmf
                      • API String ID: 712479857-3416278894
                      • Opcode ID: b71569144c84a20bc2930526b9c86140f8a946811489af7cd27053325d76eae7
                      • Instruction ID: 7234b2d77f1bccd417327f93b04c919a9664db6a440664fbab8a21f6a13e4380
                      • Opcode Fuzzy Hash: b71569144c84a20bc2930526b9c86140f8a946811489af7cd27053325d76eae7
                      • Instruction Fuzzy Hash: ED81D572D00258EAEF24DB64CC55BEEB7F8EF05304F5401E8E915A7291EB319A88CB91
                      Function 00AE0F97 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 226fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE0FA1
                        • Part of subcall function 00AC5067: __EH_prolog3_GS.LIBCMT ref: 00AC506E
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • GetFileAttributesW.KERNEL32(?), ref: 00AE10A6
                      • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00AE110B
                      • GetTempFileNameW.KERNEL32(?,IS_,00000000,00000000,?,00000104), ref: 00AE1160
                      • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00AE1183
                        • Part of subcall function 00AAF066: SysFreeString.OLEAUT32(00000000), ref: 00AAF075
                        • Part of subcall function 00AEF199: __EH_prolog3.LIBCMT ref: 00AEF1A0
                        • Part of subcall function 00AEF199: CloseHandle.KERNEL32(?,00000008,00AF0592,?,?,00B45168,?,?,00000000,00000000), ref: 00AEF1FD
                      • DeleteFileW.KERNEL32(?), ref: 00AE12B7
                        • Part of subcall function 00AB81AC: __EH_prolog3_GS.LIBCMT ref: 00AB81B3
                        • Part of subcall function 00AB81AC: LoadLibraryW.KERNEL32(?,?,00000001,0000006C,00ACE981,?,?,00000000,?), ref: 00AB81DC
                        • Part of subcall function 00AB81AC: GetLastError.KERNEL32 ref: 00AB81F3
                        • Part of subcall function 00AB8449: __EH_prolog3.LIBCMT ref: 00AB8450
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$File$FreeH_prolog3_String$H_prolog3NameTemp$AttributesCloseDeleteHandleLibraryLoadModulePath
                      • String ID: ISSetup.dll$IS_
                      • API String ID: 2103059120-269610055
                      • Opcode ID: 53b786a241a177bb70a513822ad304f0aa77077faa4d897d3ae841568ae90d78
                      • Instruction ID: 91f410dd0a4273ee2b82f915984bb1016ce2beff805c1933b4420768f08986d2
                      • Opcode Fuzzy Hash: 53b786a241a177bb70a513822ad304f0aa77077faa4d897d3ae841568ae90d78
                      • Instruction Fuzzy Hash: A0A19D31901168DFDB25EB64CD99BEDBBB8AF19300F5001E9E00AA71A2DB745F88DF51
                      Function 00B18240 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00B1A340: __EH_prolog3.LIBCMT ref: 00B1A347
                      • _memmove.LIBCMT ref: 00B183AD
                      • GetWindowDC.USER32(00000000), ref: 00B183BD
                      • CreateDIBitmap.GDI32(00000000,00000000,00000004,000000FF,00000000,00000000), ref: 00B183D2
                      • ReleaseDC.USER32(00000000,00000000), ref: 00B18403
                      • _memset.LIBCMT ref: 00B18436
                      • _memmove.LIBCMT ref: 00B18443
                      • _memmove.LIBCMT ref: 00B18457
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove$BitmapCreateH_prolog3ReleaseWindow_memset
                      • String ID: (
                      • API String ID: 3696145347-3887548279
                      • Opcode ID: bdd39df726090d45d266821c0772c249239e3ff168f55042509f57042b9bdd3b
                      • Instruction ID: 704833eee92529f35f6a976ae70288468cd8ac327365541c1ce72e423d6d1ce0
                      • Opcode Fuzzy Hash: bdd39df726090d45d266821c0772c249239e3ff168f55042509f57042b9bdd3b
                      • Instruction Fuzzy Hash: 94713CB1D002199FDB24DFA4D945BAEBBF5FF09310F1041A9E919EB241EB31AA44CF51
                      Function 00AB4B16 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: wsprintf$_memsetlstrlen
                      • String ID: %s%s$ftp://$http://$https://
                      • API String ID: 114250505-620530764
                      • Opcode ID: 14bd6c66138430dde27aaea1f49c48e17dbc207f42f29b3b3b1fd8ebd0857eca
                      • Instruction ID: 7e9e56638555b4ce4efa57218847a65eb3a8508e20b4b22372a864fbf61db791
                      • Opcode Fuzzy Hash: 14bd6c66138430dde27aaea1f49c48e17dbc207f42f29b3b3b1fd8ebd0857eca
                      • Instruction Fuzzy Hash: 4221D636A40609BADB10AFA8DC42DEFB7B8EF09710F508456F704EB192DA70DD40C7A9
                      Function 00AC03E7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 81registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • CharNextW.USER32(?,tempdisk1folder,?,00000000), ref: 00AC040D
                      • lstrcmpW.KERNEL32(00000000,%IS_T%,?,tempdisk1folder,?,00000000), ref: 00AC041B
                      • _memset.LIBCMT ref: 00AC047E
                      • RegDeleteValueW.ADVAPI32(?,00000000,?,?), ref: 00AC04CB
                        • Part of subcall function 00ADFB50: lstrlenW.KERNEL32(?,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82,00000452,?,00000218,00AC12C5,?,0000043C), ref: 00ADFB59
                        • Part of subcall function 00ADFB50: lstrcpyW.KERNEL32(00000000,?,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82,00000452,?,00000218,00AC12C5,?), ref: 00ADFB80
                        • Part of subcall function 00ADFB50: lstrcpyW.KERNEL32(00B6AF48,?,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82,00000452,?,00000218,00AC12C5,?), ref: 00ADFB8E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcpy$CharDeleteNextValue_memsetlstrcmplstrlen
                      • String ID: %IS_T%$'$Software\Microsoft\Windows\CurrentVersion$tempdisk1folder
                      • API String ID: 1514787324-727448288
                      • Opcode ID: 24ef237452e253624abd217ab014401b0ee16ba302637d7b859415aa4b1c4c3d
                      • Instruction ID: 48bedf6d915c8f7c7148c2c900ae0723c4941f74a17f25a35cf218e795d40651
                      • Opcode Fuzzy Hash: 24ef237452e253624abd217ab014401b0ee16ba302637d7b859415aa4b1c4c3d
                      • Instruction Fuzzy Hash: 0E319F7494122CEECB60AB64CD96FEE7679AF55340F1401E9B10AA3191DF305B85CBA4
                      Function 00B0AC51 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B0AC58
                      • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesW,00000000,00B070B4,0000000A,00000000), ref: 00B0AC72
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0AC75
                      • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesA), ref: 00B0AC9C
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0AC9F
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc$H_prolog3
                      • String ID: SetFileAttributesA$SetFileAttributesW$kernel32.dll
                      • API String ID: 1623054726-3589348009
                      • Opcode ID: 8eff323fc2ba574c4617c6ae95501cf151d3db0ac97b808761a91ce179b31e6a
                      • Instruction ID: c7cfd409ddb593b0ee307317d84e30cd711b624227f1da6b2fbf0f9e19e6f394
                      • Opcode Fuzzy Hash: 8eff323fc2ba574c4617c6ae95501cf151d3db0ac97b808761a91ce179b31e6a
                      • Instruction Fuzzy Hash: D3F0C235640609BBCB20BFB4CD06AAE3BA8EF84740F964654F906A71E0DF71CA40DB90
                      Function 00B0805D Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B08064
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,00B07162), ref: 00B0807E
                      • GetProcAddress.KERNEL32(00000000), ref: 00B08081
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA), ref: 00B080A5
                      • GetProcAddress.KERNEL32(00000000), ref: 00B080A8
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc$H_prolog3
                      • String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
                      • API String ID: 1623054726-1399581607
                      • Opcode ID: 2b5eeb3c323825aee3c25f66164377c6785bd191784c9024a3baec38ad4e04a8
                      • Instruction ID: 15433d65d1c415454598e7aa6e1457bf862638ca8b201b46cdde3d16b0a569b1
                      • Opcode Fuzzy Hash: 2b5eeb3c323825aee3c25f66164377c6785bd191784c9024a3baec38ad4e04a8
                      • Instruction Fuzzy Hash: 04F02B35600A19ABCB20FFB4CD15AAF7AE8EF84750F614254F906A7191EF70C700CB90
                      Function 00ABDFBF Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 315COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABDFC9
                        • Part of subcall function 00AA1410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                        • Part of subcall function 00AA1410: RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                      • GetCommandLineW.KERNEL32 ref: 00ABE146
                        • Part of subcall function 00AB66D5: __EH_prolog3.LIBCMT ref: 00AB66DC
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00ABA840: __EH_prolog3_GS.LIBCMT ref: 00ABA847
                        • Part of subcall function 00ABA840: __itow_s.LIBCMT ref: 00ABA87E
                        • Part of subcall function 00ABA840: SetLastError.KERNEL32(00000001,?,00000000), ref: 00ABA8AD
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00AAF9B1: __EH_prolog3_GS.LIBCMT ref: 00AAF9BB
                        • Part of subcall function 00AAF1F4: __wcsnicmp.LIBCMT ref: 00AAF23B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeH_prolog3String$CloseCommandHandleLineModule__itow_s__wcsnicmp
                      • String ID: ISSetupPrerequisistes$%%IS_PREREQ%%-%s$.exe$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\RunOnce
                      • API String ID: 3943237732-1612384283
                      • Opcode ID: 635bb7b0544a4717210facd4888c0ed033300fee14344c17ac55521aa95f00c9
                      • Instruction ID: 74e4dc31fb6fc3069dcbf9c490d0418e36620060334f4b34ad49e39da86a2169
                      • Opcode Fuzzy Hash: 635bb7b0544a4717210facd4888c0ed033300fee14344c17ac55521aa95f00c9
                      • Instruction Fuzzy Hash: 3BD16D71D00258EEDF24DBA4CD95BEDB7B8BF15304F2481A9E00AA7192DB705F88DB61
                      Function 00AB55FA Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 287COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast_memsetwsprintf
                      • String ID: Referer: %s$dwplayer
                      • API String ID: 1359275013-1303060843
                      • Opcode ID: dfe85d1e0ed894260ac71528d2dfba00efae8d8d86253d110a6d43cc5fb75718
                      • Instruction ID: b5444fdda8747b15a38f3916baf16634eaae168866d7aabeac60fbfc77a42733
                      • Opcode Fuzzy Hash: dfe85d1e0ed894260ac71528d2dfba00efae8d8d86253d110a6d43cc5fb75718
                      • Instruction Fuzzy Hash: 7CC16670E04698DEDB24DB74C944BEDBBB9AF05344F1441D9E489AB292DBB09EC4CF60
                      Function 00AB9471 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 170libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB947B
                      • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00AB948D
                      • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 00AB94F8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString$AddressFileH_prolog3_ModuleNameProc
                      • String ID: ProductCode$RunISMSISetup$Startup$setup.ini
                      • API String ID: 585182573-3003089463
                      • Opcode ID: f3b22c16c60578f512642821c280569dc1af89e4cda2e30b0c65de560e2cc8c0
                      • Instruction ID: 508cae210c346534031c68c9a4d5db61b93dae41b4ef3e80aa9c66659f8abc84
                      • Opcode Fuzzy Hash: f3b22c16c60578f512642821c280569dc1af89e4cda2e30b0c65de560e2cc8c0
                      • Instruction Fuzzy Hash: 49718131801258EFCB15EBA4CE95BDEBBB8BF16304F1440D8E0466B192DB749F48DBA1
                      Function 00B05DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B05DB5
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00B05EEB
                        • Part of subcall function 00ADAA78: __EH_prolog3.LIBCMT ref: 00ADAA7F
                        • Part of subcall function 00ADAA78: GetLastError.KERNEL32(00000004,00ADA77A,00000008,00AE0116,00B3C124,00000001,?,00000001), ref: 00ADAA98
                      • __CxxThrowException@8.LIBCMT ref: 00B05E3A
                        • Part of subcall function 00AF4189: RaiseException.KERNEL32(?,?,00AF2E66,00000000,?,?,?,?,00AF2E66,00000000,00B5D638,?), ref: 00AF41DA
                      • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00B087CD,?,00000000,00000068,00ACE68C,?,00B6C058,?,00000000,00000000,?), ref: 00B05E0D
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                      • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00B087CD,?,00000000,00000068,00ACE68C,?,00B6C058,?,00000000,00000000,?), ref: 00B05E7E
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$Directory$H_prolog3_StringWindows$AllocExceptionException@8H_prolog3RaiseSystemThrow
                      • String ID: sysnative$syswow64
                      • API String ID: 415710860-1057783856
                      • Opcode ID: 299d0597bf2013a95c7e9c21c5373114c909e213d089dfd716c2b672903687fc
                      • Instruction ID: c37962faa9290077a2c2c35393f956fb17e70f367ee3c21772f853f29dafef45
                      • Opcode Fuzzy Hash: 299d0597bf2013a95c7e9c21c5373114c909e213d089dfd716c2b672903687fc
                      • Instruction Fuzzy Hash: B8416275900648DFDF20EBE4C945BED7BF4BF1A304F244099E14267292DB745A09EB61
                      Function 00B0A18B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B0A195
                      • GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,00B0A179,00000000,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A1C5
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0A1CC
                      • OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B0A1F8
                      • _memset.LIBCMT ref: 00B0A21D
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString$AddressH_prolog3_HandleModuleOpenProcProcess_memset
                      • String ID: NtQueryInformationProcess$Ntdll.dll
                      • API String ID: 954382961-801751246
                      • Opcode ID: d5a5966061be9035e2b151f1fea02bae0df00f031690a04edf358b458e4facb3
                      • Instruction ID: 2b5acc0a16f5dc1b5202c9475be8242a2c9953d940e5dfc8dbff4c3cb0080447
                      • Opcode Fuzzy Hash: d5a5966061be9035e2b151f1fea02bae0df00f031690a04edf358b458e4facb3
                      • Instruction Fuzzy Hash: 8E317CB1940229ABDB20DBA0CD41BEEB7B8AF44304F4044E5B709A71C2DB705F89DF19
                      Function 00AD184F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD1859
                      • _memset.LIBCMT ref: 00AD187C
                        • Part of subcall function 00AA1500: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00AA1528
                        • Part of subcall function 00ADC9C5: __EH_prolog3.LIBCMT ref: 00ADC9CC
                      • lstrcpyW.KERNEL32(?,-00000004,?), ref: 00AD18E2
                      • lstrcatW.KERNEL32(?," /%), ref: 00AD1909
                      • _wcschr.LIBCMT ref: 00AD1914
                      • lstrcatW.KERNEL32(?,00000000), ref: 00AD1927
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcat$H_prolog3H_prolog3_QueryValue_memset_wcschrlstrcpy
                      • String ID: " /%
                      • API String ID: 2854241388-1244271203
                      • Opcode ID: 8548db0cb6dc1b67000349abf62d2909547a2f83743da23c7a7d65744f42873f
                      • Instruction ID: 22f70f7ccbdafc5256574d928fd067c6a4749aa32de90e0104d403fa0946e4bb
                      • Opcode Fuzzy Hash: 8548db0cb6dc1b67000349abf62d2909547a2f83743da23c7a7d65744f42873f
                      • Instruction Fuzzy Hash: E82181B2A1021CAADB10E7A4CD55AAE73ECBF48310F4445A6F64AE7191EB30DA40CF94
                      Function 00B0A609 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73libraryregistryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B0A610
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B0AD39: __EH_prolog3.LIBCMT ref: 00B0AD40
                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00B0A67F
                      • GetLastError.KERNEL32 ref: 00B0A690
                      • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00B0A6E3
                        • Part of subcall function 00B0AA46: GetVersionExW.KERNEL32(?), ref: 00B0AA6A
                        • Part of subcall function 00B063AA: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00B063E2
                      • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00B0A6AB
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3Last$OverridePredef$AddressLibraryLoadProcVersion
                      • String ID: DllRegisterServer$DllUnregisterServer
                      • API String ID: 916470829-2931954178
                      • Opcode ID: da12a0fd0f954faa75e22ad3bdfb49dc13571ede0e88be075d8a445a55854b91
                      • Instruction ID: 660eb087e95cfdf9e1b7f75b9890a2f41b5529a93a43c3bd62f4ce0fb6a55385
                      • Opcode Fuzzy Hash: da12a0fd0f954faa75e22ad3bdfb49dc13571ede0e88be075d8a445a55854b91
                      • Instruction Fuzzy Hash: 4621F464904344AEDF10EFB4C9567AD3FF8AF11344F5488E8F445AB1D2DB718608DB22
                      Function 00AE6E67 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 73registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE6E71
                      • _memset.LIBCMT ref: 00AE6EA0
                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00000000,00020019,?), ref: 00AE6EDC
                      • RegQueryValueExW.ADVAPI32 ref: 00AE6F17
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_OpenQueryValue_memset
                      • String ID: CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                      • API String ID: 3654002236-3256072622
                      • Opcode ID: 262da34d3cd21360a3115224dc3db9b7eea2e9f5281ac5d219decd2296378ea2
                      • Instruction ID: 88ce6f4ab704a18fa8c72bafcd98df1f3ee6fb0dc5095e664c19df615f1aa8b9
                      • Opcode Fuzzy Hash: 262da34d3cd21360a3115224dc3db9b7eea2e9f5281ac5d219decd2296378ea2
                      • Instruction Fuzzy Hash: 25317CB190126CAFDB60DB98DD89BEEB7B8EB54304F2001E9B50CA7291DB705E848F51
                      Function 00AF24DA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58stringCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AF2514
                      • CharNextW.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}), ref: 00AF251D
                      • lstrcpyW.KERNEL32(?,00000000,?,?,C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}), ref: 00AF2531
                      • CharNextW.USER32(00000000,?,?,C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}), ref: 00AF2546
                      • CharPrevW.USER32(00000000,00000000,?,?,C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}), ref: 00AF255F
                      • lstrcpyW.KERNEL32(?,00000000,?,?,C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}), ref: 00AF257A
                      Strings
                      • C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}, xrefs: 00AF24ED
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Char$Nextlstrcpy$Prev_memset
                      • String ID: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}
                      • API String ID: 3355883774-4156213419
                      • Opcode ID: 133d058ba7ee5691d5ea78175cde189767d976846b38e3b3fabb20277556b1dd
                      • Instruction ID: c2614ed685a7f2208622b434de3e8abb8eccd321e51d01a54c639c4cb579ddbc
                      • Opcode Fuzzy Hash: 133d058ba7ee5691d5ea78175cde189767d976846b38e3b3fabb20277556b1dd
                      • Instruction Fuzzy Hash: D31194B294021CAACB61ABA4DD05AAF73BCFF08300F018496F605D7190DE746F888BE0
                      Function 00B08A69 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloadertimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,00000000,00B09960,?,00B0864E,00000000,?,?,?,?,?,0000006C,00B0AE91,00B09960,?), ref: 00B08A8A
                      • GetProcAddress.KERNEL32(00000000), ref: 00B08A91
                      • OpenProcess.KERNEL32(001FFFFF,00000001,?,00000000,00000000,00B09960,?,00B0864E,00000000,?,?,?,?,?,0000006C,00B0AE91), ref: 00B08AB1
                      • GetProcessTimes.KERNEL32(00B09960,00B0AE91,0000006C,?,?,00000000,00000000,00B09960,?,00B0864E,00000000,?,?,?,?,?), ref: 00B08ACA
                      • CloseHandle.KERNEL32(00B09960,?,00B0864E,00000000,?,?,?,?,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B08AD7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: HandleProcess$AddressCloseModuleOpenProcTimes
                      • String ID: GetProcessId$kernel32.dll
                      • API String ID: 4254294609-399901964
                      • Opcode ID: a50d702a3867f03d3c2a04cc077e8ef7d45dae5ba51bb7fc34d3ee867d9556b8
                      • Instruction ID: 34a49f7aceb65211fb6148227262440f96e6e1d5e64a315f7a025ccd47d7408c
                      • Opcode Fuzzy Hash: a50d702a3867f03d3c2a04cc077e8ef7d45dae5ba51bb7fc34d3ee867d9556b8
                      • Instruction Fuzzy Hash: 5501F737341E19BF8B224FA49C04A6F3B9DEE457A13190052FE42E3590CF30CD114BA0
                      Function 00AF1AC3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF1ACA
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00B087AC: __EH_prolog3_GS.LIBCMT ref: 00B087B3
                      • LoadLibraryW.KERNEL32(-00000004,COMCTL32,?,00000001,00000074,00AE3EEC,?,00000001,clone_wait,00000000,00000001,00000001,Relaunching setup from temp,?,00000001,Setup.cpp), ref: 00AF1B05
                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00AF1B32
                      • #17.COMCTL32 ref: 00AF1B52
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$AddressH_prolog3LibraryLoadProc
                      • String ID: $COMCTL32$InitCommonControlsEx
                      • API String ID: 1649272465-1772614818
                      • Opcode ID: 003c9a8835f39791278ae1f6a5fe5dcfedb84786ca93964d0c40a8ba6f809c01
                      • Instruction ID: 1392426c9b43098aef07ab7593c78389d138358d36cc9c1ca3874fec3bcb4d45
                      • Opcode Fuzzy Hash: 003c9a8835f39791278ae1f6a5fe5dcfedb84786ca93964d0c40a8ba6f809c01
                      • Instruction Fuzzy Hash: 29115171C05218EADB14EBE4CD49BED7BB8BF15304F64016DF111A71D2EB709A05DB61
                      Function 00AB6B22 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID: Wiz$Inst$allS$ard$d$hiel
                      • API String ID: 2427045233-3898594558
                      • Opcode ID: 700ff9767cf4b83bd6fc453f515ca040d19d3bb1277fb695a940be6bd8f8c2be
                      • Instruction ID: a1b48c9412b50a25e738a4624ba4e7937b38e972dec64c1f7f37361fcd472461
                      • Opcode Fuzzy Hash: 700ff9767cf4b83bd6fc453f515ca040d19d3bb1277fb695a940be6bd8f8c2be
                      • Instruction Fuzzy Hash: 97F0F4B1D0021C9ACF01DFD6D5816DEBBB5BF08710F94501AF504BB341C7759A498BA9
                      Function 00AC9B43 Relevance: 12.2, APIs: 8, Instructions: 150fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00AC9B98
                      • GetLastError.KERNEL32 ref: 00AC9BAB
                      • __CxxThrowException@8.LIBCMT ref: 00AC9BEC
                      • _memmove.LIBCMT ref: 00AC9C52
                      • WriteFile.KERNEL32(00000000,00000000,00002800,?,00000000,?,?,00000000,00002800), ref: 00AC9C81
                      • GetLastError.KERNEL32 ref: 00AC9C8B
                      • GetLastError.KERNEL32 ref: 00AC9CC7
                      • CloseHandle.KERNEL32(00000000,?,?,00000000,00002800), ref: 00AC9D66
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$File$CloseCreateException@8HandleThrowWrite_memmove
                      • String ID:
                      • API String ID: 2788177597-0
                      • Opcode ID: bea841512ec6c8ec4be6b0c13b3b284ed9b998582c997a0edb8ca285d9b06f8c
                      • Instruction ID: 8d123faf19180c9fbcd3e61d08c632217d323b6fcfc992d14dbfafbe56af1427
                      • Opcode Fuzzy Hash: bea841512ec6c8ec4be6b0c13b3b284ed9b998582c997a0edb8ca285d9b06f8c
                      • Instruction Fuzzy Hash: 76519470A02619AEDB25DB65DD99BBFB7FCAB04750F1041AEF50AE6180DB309F448B50
                      Function 00AA5420 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00AA547F
                      • SetLastError.KERNEL32(00B36418), ref: 00AA54B3
                        • Part of subcall function 00AA5D10: MultiByteToWideChar.KERNEL32(00000007,00000000,00000000,00000001,00000000,00000000,6D9FB08F,00000000,0000000B,?), ref: 00AA5EA0
                        • Part of subcall function 00AA5D10: MultiByteToWideChar.KERNEL32(00000007,00000000,?), ref: 00AA5EDA
                      • GetLastError.KERNEL32 ref: 00AA54E2
                      • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00AA552E
                      • GetLastError.KERNEL32 ref: 00AA5541
                      • SysFreeString.OLEAUT32(?), ref: 00AA555B
                      • SysFreeString.OLEAUT32(?), ref: 00AA5568
                      • SetLastError.KERNEL32(?), ref: 00AA558C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$ByteCharFreeMultiStringWide
                      • String ID:
                      • API String ID: 2284902721-0
                      • Opcode ID: 5e5a463a72aa2e53c739b4358f0096094fe4dfaeba3d4af87cd89cb80d036f64
                      • Instruction ID: ed402a28de5cb5158799bbe2a5d2388f9659724719371a100a30c21a12ae7495
                      • Opcode Fuzzy Hash: 5e5a463a72aa2e53c739b4358f0096094fe4dfaeba3d4af87cd89cb80d036f64
                      • Instruction Fuzzy Hash: 1F4109B15087409FCB10DF68D884B4ABBE4FF89318F204A6DF8589B2A1D775E904CF86
                      Function 00AB6020 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB6027
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      • EndDialog.USER32(?,00000001), ref: 00AB6083
                      • SetWindowTextW.USER32(?,-00000004), ref: 00AB60C9
                      • GetDlgItem.USER32(?,00000001), ref: 00AB6107
                      • GetDlgItem.USER32(?,00000066), ref: 00AB610F
                      • ShowWindow.USER32(?,00000000), ref: 00AB6125
                      • ShowWindow.USER32(00000000,00000000), ref: 00AB613B
                      • DeleteObject.GDI32 ref: 00AB615E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Window$ErrorItemLastShow$DeleteDialogH_prolog3_ObjectText
                      • String ID:
                      • API String ID: 276247898-0
                      • Opcode ID: 64cb47bdc85804750932e51ba096e6e9807dd48b1f96f3d863a37b6fb328d52b
                      • Instruction ID: c5d4e4a875dd19b71f5579a5096fdde0ed8e46614720095edbfcde50e6cf477e
                      • Opcode Fuzzy Hash: 64cb47bdc85804750932e51ba096e6e9807dd48b1f96f3d863a37b6fb328d52b
                      • Instruction Fuzzy Hash: 9E31B371800208EBDB10EFB8DD85AFE7BB8FB15714F244129F101A7293CB799944DBA1
                      Function 00AD9360 Relevance: 12.1, APIs: 8, Instructions: 99libraryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch_GS.LIBCMT ref: 00AD936A
                      • LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424), ref: 00AD93A9
                      • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00AD93BF
                      • FindResourceW.KERNEL32(00000000,?,?), ref: 00AD93EA
                      • LoadResource.KERNEL32(00000000,00000000), ref: 00AD9402
                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00AD9414
                        • Part of subcall function 00AD8977: GetLastError.KERNEL32 ref: 00AD8977
                      • FreeLibrary.KERNEL32(00000000), ref: 00AD94B8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
                      • String ID:
                      • API String ID: 1818814483-0
                      • Opcode ID: 5d7015c41587bb3d9116633677eb48d674338897e622ff422ba4c159ad6cf677
                      • Instruction ID: 166a7b22351780705c08e2688fcf70d76861771a1a05daee2b6821043f2b1a1e
                      • Opcode Fuzzy Hash: 5d7015c41587bb3d9116633677eb48d674338897e622ff422ba4c159ad6cf677
                      • Instruction Fuzzy Hash: 8C4160B190162D9BCB218F148D44BEF7AB5AF48354F5080EEF90AA7351DB708E81CFA5
                      Function 00AEE92F Relevance: 12.1, APIs: 8, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AEE936
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00B070E3: __EH_prolog3_GS.LIBCMT ref: 00B070ED
                      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 00AEE98C
                      • GetDC.USER32(00000000), ref: 00AEE9BD
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AEE9CE
                      • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00AEE9D5
                      • ReleaseDC.USER32(00000000,00000000), ref: 00AEE9DD
                      • CreateDialogParamW.USER32(?,0000006C,00000000,Function_0004EA39,00000000), ref: 00AEEA09
                      • SetForegroundWindow.USER32(00000000), ref: 00AEEA13
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CapsDeviceH_prolog3$CreateDialogForegroundH_prolog3_ImageLoadParamReleaseWindow
                      • String ID:
                      • API String ID: 2034763720-0
                      • Opcode ID: 925020bb602ed3f99ddc76eba9c4bfc1530af7fdf08b05b96e06afde6cbc45e4
                      • Instruction ID: e1ceb5c9fd3ecb11fe070aa590c18b8ec8eee6ff942d56bc2942e9b28cc094ad
                      • Opcode Fuzzy Hash: 925020bb602ed3f99ddc76eba9c4bfc1530af7fdf08b05b96e06afde6cbc45e4
                      • Instruction Fuzzy Hash: 5C31D472A00208EFDB10EFA5CC85AAE7BA8FB08355F108529F855A72A1DB74DD44CF90
                      Function 00B10FE9 Relevance: 12.1, APIs: 8, Instructions: 66memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$Free_memmove$Alloc
                      • String ID:
                      • API String ID: 2303858246-0
                      • Opcode ID: 763a3886c64de84a038fc92c5953cdc1f2c91f6a49b07958d1d937a9a21c068f
                      • Instruction ID: 7a915716535a00c6bf628db23aaa1d5cce76f53c507ff8ffdf3007ded6775d11
                      • Opcode Fuzzy Hash: 763a3886c64de84a038fc92c5953cdc1f2c91f6a49b07958d1d937a9a21c068f
                      • Instruction Fuzzy Hash: 1B21AE31900704EFCB219FA8CD8899EBBB4FF483A57200669F916D7261CB70EE549B90
                      Function 00AF0598 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 270COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF05A2
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD595: __EH_prolog3_GS.LIBCMT ref: 00ADD59C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last
                      • String ID: BuildNo$MajorVer$MinorVer$MinorVerMax$PlatformId
                      • API String ID: 1018228973-1900021638
                      • Opcode ID: 6cd15654184aa01db207d7d728ce37c25098b2d2b30a18b7686c4f24af069f0c
                      • Instruction ID: ce6d48e1e3f8468cdcb0273362287e2de61159ac6aef09d8f592eb37e9b975b9
                      • Opcode Fuzzy Hash: 6cd15654184aa01db207d7d728ce37c25098b2d2b30a18b7686c4f24af069f0c
                      • Instruction Fuzzy Hash: A5B10971D8021AEAEB65DF64CD91BFDB7B4AB05354F1001EAA129A71C2EB745F84CF80
                      Function 00ABAC56 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABAC5D
                        • Part of subcall function 00ABF08F: __EH_prolog3.LIBCMT ref: 00ABF096
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00ABCDD3: __EH_prolog3_GS.LIBCMT ref: 00ABCDDD
                        • Part of subcall function 00ABCDD3: GetDlgItem.USER32(00000000,0000040B), ref: 00ABCE10
                        • Part of subcall function 00ABCDD3: GetDlgItem.USER32(0000012D), ref: 00ABCE23
                        • Part of subcall function 00ABCDD3: GetModuleFileNameW.KERNEL32(00000000,?,00000400,000000FF), ref: 00ABCE82
                      Strings
                      • EXECUTEMODE=None, xrefs: 00ABACC0, 00ABACC5, 00ABACCF
                      • Hidden prerequisites require, but did not receive, elevation. Exiting setup., xrefs: 00ABAF52
                      • Administrative privileges are required, but setup is silent. Exiting setup., xrefs: 00ABAD67
                      • Visible prerequisites require, but did not receive, elevation. Prompting user., xrefs: 00ABAE1A
                      • ..\..\..\Shared\Setup\IsPreReqDlg.cpp, xrefs: 00ABAD4E, 00ABAE01, 00ABAF39
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeH_prolog3_ItemLastString$FileH_prolog3ModuleName
                      • String ID: ..\..\..\Shared\Setup\IsPreReqDlg.cpp$Administrative privileges are required, but setup is silent. Exiting setup.$EXECUTEMODE=None$Hidden prerequisites require, but did not receive, elevation. Exiting setup.$Visible prerequisites require, but did not receive, elevation. Prompting user.
                      • API String ID: 584689619-2161882974
                      • Opcode ID: 72183dbee69b4edfc67a70b9fdb5f5a894ffc8383395fc634cb2d6f4dab5e8a1
                      • Instruction ID: 52c2622f67301248b55c349f189d52c6c71f1e5b89a70aed3539e8274e1b2f50
                      • Opcode Fuzzy Hash: 72183dbee69b4edfc67a70b9fdb5f5a894ffc8383395fc634cb2d6f4dab5e8a1
                      • Instruction Fuzzy Hash: A0A1CF71900248EFEB25DBB4CD85BEDBBB8BB11300F24415EE101A71D3EBB49A49DB61
                      Function 00B08F25 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 219fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempFileNameW.KERNEL32(?,_is,00000000,00000000,?,00000104), ref: 00B09090
                      • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00B08F72
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                      • __EH_prolog3_GS.LIBCMT ref: 00B08F2F
                        • Part of subcall function 00AAF37B: __EH_prolog3.LIBCMT ref: 00AAF382
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                      • DeleteFileW.KERNEL32(?), ref: 00B090B5
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B09B35: __EH_prolog3.LIBCMT ref: 00B09B3C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3$FileH_prolog3_StringTemp$AllocDeleteNamePath
                      • String ID: .tmp$_is
                      • API String ID: 2274788794-3921807090
                      • Opcode ID: a7f5a1323edc68a43b9b1577e3ad97e5b18467f5da64d6bf1f307c89e05429c3
                      • Instruction ID: 28b3951abb3f4a088c4bc9103bdacc5374f5de102707a7bb2ff29d64332aa2dc
                      • Opcode Fuzzy Hash: a7f5a1323edc68a43b9b1577e3ad97e5b18467f5da64d6bf1f307c89e05429c3
                      • Instruction Fuzzy Hash: 1F91AD71900248EEDF15EBA4CE56BEDBBF8AF16300F1040D8E54A671D2EB705B49DB61
                      Function 00AC9E35 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC9E3F
                      • GetVersionExW.KERNEL32(?,000001FC,00AD1DB8,00B3634C,?,?,00000001,00000000,dotnetfx.exe,?,00000001,isnetfx.exe,?,00000001,000001D4,00ACD677), ref: 00AC9E60
                      • _wcscmp.LIBCMT ref: 00AC9E93
                      • _wcscmp.LIBCMT ref: 00ACA012
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _wcscmp$H_prolog3_Version
                      • String ID: 0$dotnetfxsp1.exe
                      • API String ID: 158289-2331464614
                      • Opcode ID: 2ffc7d2ca3a0e6ff251c20e165b6d01a1fb0953af0a5300798953d8b3eef4ec7
                      • Instruction ID: 79255d73973eaccf0a10c393c2f9a272effcbc681b3476a14b90de333864d5fa
                      • Opcode Fuzzy Hash: 2ffc7d2ca3a0e6ff251c20e165b6d01a1fb0953af0a5300798953d8b3eef4ec7
                      • Instruction Fuzzy Hash: 75515C7190126DEADB24DBA4CD55BEEBBB8AB12304F1040EDE119A3182DB705F85DF91
                      Function 00AF098D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 152COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF0994
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD595: __EH_prolog3_GS.LIBCMT ref: 00ADD59C
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3_String
                      • String ID: 1.20.1827.0$CSDVersion$MajorVer$ServicePack$System\CurrentControlSet\Control\Windows
                      • API String ID: 2608676048-3305444093
                      • Opcode ID: 101420cd3e73dd66e529796176dccf1dd6801f5c2f96c7cf839500ac9c9df6c4
                      • Instruction ID: 458e88528b2732cec4d8f40ad673e5f7c2fe96d72fd6477c2b226f14e7d8d56e
                      • Opcode Fuzzy Hash: 101420cd3e73dd66e529796176dccf1dd6801f5c2f96c7cf839500ac9c9df6c4
                      • Instruction Fuzzy Hash: E1514A31D00219EBDB20EBE4CD92FEDB7B8BF15350F6041A9E512A71D2EB705A09DB51
                      Function 00AD4A00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AD4A07
                        • Part of subcall function 00AA55C0: SysFreeString.OLEAUT32(?), ref: 00AA55CE
                      • GetErrorInfo.OLEAUT32(00000000,00000000,00000014,00AD41DE,00000008,00AD4582,8007000E,00000124,00AD5B53), ref: 00AD4A3B
                      • CLSIDFromProgID.OLE32(?,?), ref: 00AD4AE1
                      • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000), ref: 00AD4B07
                      • LocalFree.KERNEL32(00000000), ref: 00AD4B29
                        • Part of subcall function 00AB09F6: __EH_prolog3.LIBCMT ref: 00AB09FD
                        • Part of subcall function 00AA3730: SysStringLen.OLEAUT32(?), ref: 00AA373E
                        • Part of subcall function 00AA3730: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AA3758
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$FreeH_prolog3$AllocErrorFormatFromInfoLocalMessageProg
                      • String ID: Unknown error
                      • API String ID: 2182933432-83687255
                      • Opcode ID: ce3cca17298ed65faeb0033d585c72d2377f678da2d8936e0ac1e503987bd915
                      • Instruction ID: 39c804aae30a8b71a10c4c3ff4a9f74de1a3d3721e1bd618b769d9155e101ed4
                      • Opcode Fuzzy Hash: ce3cca17298ed65faeb0033d585c72d2377f678da2d8936e0ac1e503987bd915
                      • Instruction Fuzzy Hash: A7419EB19006059FDF05DFA0C949BBE77B5AF49300F140189F912AF2D2DBB1AE05CBA0
                      Function 00ADE983 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADE98D
                      • _memset.LIBCMT ref: 00ADE9AC
                        • Part of subcall function 00AAD24B: __EH_prolog3_GS.LIBCMT ref: 00AAD252
                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00ADEB24
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ExecuteShell_memset
                      • String ID: ClickOncePackage$Startup$open
                      • API String ID: 447700153-1966403724
                      • Opcode ID: 11f9c54f4c6b2befbcf79465e6261a7a9426e5ca7ced2b53567aa7988c58ef69
                      • Instruction ID: d9ff2313e68aed0e9f16b6112557ac132657b9aacfc442baa40804d766390c53
                      • Opcode Fuzzy Hash: 11f9c54f4c6b2befbcf79465e6261a7a9426e5ca7ced2b53567aa7988c58ef69
                      • Instruction Fuzzy Hash: ED417071901168AADB20EB64CD55BEEB7F8BF51700F1081D9E18AA7091EF709B88CFD1
                      Function 00B193F5 Relevance: 10.6, APIs: 7, Instructions: 110windowfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32 ref: 00B1946C
                      • BitBlt.GDI32(00000001,?,?,00000000,00000002,?,00000000,00000000,00CC0020), ref: 00B194AA
                      • BitBlt.GDI32(00000001,?,?,00000000,00000002,?,00000000,00000000,00CC0020), ref: 00B194D3
                      • GetTickCount.KERNEL32 ref: 00B194F0
                      • PlayMetaFile.GDI32(00B13CDE,00000000), ref: 00B19798
                      • DeleteDC.GDI32(?), ref: 00B197A1
                      • RestoreDC.GDI32(00B13CDE,?), ref: 00B197AB
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CountTick$DeleteFileMetaPlayRestore
                      • String ID:
                      • API String ID: 718445662-0
                      • Opcode ID: c470b3327f7e80d695ce5b9135d9e6d88c4e8393cb903eed9235788f655edb23
                      • Instruction ID: 63ea84d002cc5cbd52dc1ca5cc5f17e5048ee832898f125ec1dd522847216d31
                      • Opcode Fuzzy Hash: c470b3327f7e80d695ce5b9135d9e6d88c4e8393cb903eed9235788f655edb23
                      • Instruction Fuzzy Hash: 32417E71A006499BDF248FA4DC95BFEB7B5FF48320FA4025CE116A62E1DB75A881CB50
                      Function 00AB6312 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB631C
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB5E3D: __EH_prolog3_GS.LIBCMT ref: 00AB5E44
                        • Part of subcall function 00AB6703: __EH_prolog3.LIBCMT ref: 00AB670A
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00B09450: __EH_prolog3_GS.LIBCMT ref: 00B0945A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
                      • String ID: .ini$0x%04x$FontName$Properties$Tahoma
                      • API String ID: 827811706-1005493852
                      • Opcode ID: 240ad4df96a6d980069559f2e9461a19223561962a9685f591556b9046551713
                      • Instruction ID: 778fa0f43dde18a53cdf874fa80c68c919f1d66dba36165dd4c604eedbedcd88
                      • Opcode Fuzzy Hash: 240ad4df96a6d980069559f2e9461a19223561962a9685f591556b9046551713
                      • Instruction Fuzzy Hash: F641A0B5D0125CEADB14EBA4CD06BEEBBB8AF55300F1440D9E545A3182DBB44B48DBE2
                      Function 00B192DC Relevance: 10.6, APIs: 7, Instructions: 107windowfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32 ref: 00B19355
                      • BitBlt.GDI32(00000001,?,?,00000004,?,?,00000000,00000000,00CC0020), ref: 00B19392
                      • BitBlt.GDI32(00000001,?,?,00000004,?,?,00000000,00000000,00CC0020), ref: 00B193BD
                      • GetTickCount.KERNEL32 ref: 00B193D6
                      • PlayMetaFile.GDI32(00B13CDE,00000000), ref: 00B19798
                      • DeleteDC.GDI32(?), ref: 00B197A1
                      • RestoreDC.GDI32(00B13CDE,?), ref: 00B197AB
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CountTick$DeleteFileMetaPlayRestore
                      • String ID:
                      • API String ID: 718445662-0
                      • Opcode ID: 56e6d2f45da2aff2a3cd5fe15fb343ae0b8e907d539d8e3a09afc6120b7c3432
                      • Instruction ID: 59d1e4f08bc3a350dbc8b3c997fd698fd312bbb02b5026255f15ba208d15031a
                      • Opcode Fuzzy Hash: 56e6d2f45da2aff2a3cd5fe15fb343ae0b8e907d539d8e3a09afc6120b7c3432
                      • Instruction Fuzzy Hash: 04418171A006499BDF24CF94ECA5BFDB7B5FF08324FA4015CE212A61D0C7356995DB28
                      Function 00AA4830 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(6D9FB08F,?,00000001,00000000,?,?,?,?,?,?,?,?,00000000,00B30950,000000FF), ref: 00AA4884
                      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00B30950,000000FF), ref: 00AA48BA
                      • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B30950,000000FF), ref: 00AA4905
                      • SysFreeString.OLEAUT32(000000FF), ref: 00AA4921
                      • SysFreeString.OLEAUT32(?), ref: 00AA492C
                      • SetLastError.KERNEL32(?), ref: 00AA494C
                      • SetLastError.KERNEL32(00000001), ref: 00AA4956
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString
                      • String ID:
                      • API String ID: 2425351278-0
                      • Opcode ID: e142abf577470af98aa8af847eab106b0cbef5b5c0236d34819a38f3bbbf6d4c
                      • Instruction ID: 195011321a22f18c9869429546c19660b36ea9e9776573ca5e2607940f9d1421
                      • Opcode Fuzzy Hash: e142abf577470af98aa8af847eab106b0cbef5b5c0236d34819a38f3bbbf6d4c
                      • Instruction Fuzzy Hash: 99414775A00609EFCB10CFA9D945B9EBBF4FF09304F204129E809E7690EB71A910CB94
                      Function 00B1A411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00B1A45A
                      • _memmove.LIBCMT ref: 00B1A47A
                      • lstrcmpA.KERNEL32(0000000B,NETSCAPE2.0,?,?,?,?,00000000,?,?,00B1A74C,00B1A74D), ref: 00B1A48F
                      • _memmove.LIBCMT ref: 00B1A4A7
                      • _memmove.LIBCMT ref: 00B1A4CD
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove$lstrcmp
                      • String ID: NETSCAPE2.0
                      • API String ID: 1993653321-1278374441
                      • Opcode ID: 70e67c87c1a9ec3f243def69ae99f126f861373fc42f3e16c0fa9f491068f6e1
                      • Instruction ID: c9b0b6efecfbb4490eb602459775da36cb4a284a5efeba87d036240ac16a0569
                      • Opcode Fuzzy Hash: 70e67c87c1a9ec3f243def69ae99f126f861373fc42f3e16c0fa9f491068f6e1
                      • Instruction Fuzzy Hash: 82319071900219EFDF21CFA8D845AAEB7F8FF59305F1048AAE150A7241D3B56684CB52
                      Function 00B1111B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Find_unchecked1String
                      • String ID: =$"
                      • API String ID: 2433260155-3309281751
                      • Opcode ID: 944a95e38ec2157962a2f070093ab8030626237a5c4520aab0fb97aae66ab6cd
                      • Instruction ID: 88668e10798cf9e93923828f31078796e62338e7bd8667ea64952dfe113b0c4c
                      • Opcode Fuzzy Hash: 944a95e38ec2157962a2f070093ab8030626237a5c4520aab0fb97aae66ab6cd
                      • Instruction Fuzzy Hash: 02314F72A00604AFDB24EFA5CD86DDFB7FCEF44700B44856DE506E2551EAB0AA84CB90
                      Function 00AB422C Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNEL32(00000001,?,?,?,00000001,?,?,00AB6A53,?,00000001,00000005,00000080,00AB600D,00000402,?,00AB6020), ref: 00AB4242
                      • LoadResource.KERNEL32(00000001,00000000,?,00000001,?,?,00AB6A53,?,00000001,00000005,00000080,00AB600D,00000402,?,00AB6020,?), ref: 00AB4252
                      • SizeofResource.KERNEL32(00000001,00000000,?,00000001,?,?,00AB6A53,?,00000001,00000005,00000080,00AB600D,00000402,?,00AB6020,?), ref: 00AB4268
                      • _memset.LIBCMT ref: 00AB4289
                      • LockResource.KERNEL32(00000000,?,?,00000001,000008A4,00AF141D,?,00000000), ref: 00AB4295
                      • _memmove.LIBCMT ref: 00AB429E
                      • __CxxThrowException@8.LIBCMT ref: 00AB42B1
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Resource$Exception@8FindLoadLockSizeofThrow_memmove_memset
                      • String ID:
                      • API String ID: 3510561357-0
                      • Opcode ID: 2988519f2bbe608e668272ac4c5255726dd164229dba04359fcd21ae19bf97ef
                      • Instruction ID: 18b2fe3f72ade67a04493a55de9a4642aa51a33509db7eb5687316f0bb9dde8f
                      • Opcode Fuzzy Hash: 2988519f2bbe608e668272ac4c5255726dd164229dba04359fcd21ae19bf97ef
                      • Instruction Fuzzy Hash: 18018076100709BBDB212F61DC49EAB7F6DEF98751F104429FA4596153DE72C8109660
                      Function 00AB46FA Relevance: 10.5, APIs: 7, Instructions: 43COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AB4701
                      • GetLastError.KERNEL32(00000004,00AB48BA), ref: 00AB471E
                      • SysFreeString.OLEAUT32(?), ref: 00AB472B
                      • SetLastError.KERNEL32(?), ref: 00AB4745
                      • GetLastError.KERNEL32 ref: 00AB4758
                      • SysFreeString.OLEAUT32(?), ref: 00AB477D
                      • SetLastError.KERNEL32(?), ref: 00AB4791
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString$H_prolog3
                      • String ID:
                      • API String ID: 746121330-0
                      • Opcode ID: f7533298078c449adeb56877c506cc41ed9c410b66595b036fd24f2143a09e00
                      • Instruction ID: 14c53536e437cd3a220306a59a76f20fc22dd6f660e634e0c348ac28659c8afc
                      • Opcode Fuzzy Hash: f7533298078c449adeb56877c506cc41ed9c410b66595b036fd24f2143a09e00
                      • Instruction Fuzzy Hash: CF113675900604DFCB21DFA8C988B5DBBF0FF08314F688598E959AB362CBB1E910CB14
                      Function 00AB4799 Relevance: 10.5, APIs: 7, Instructions: 43COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AB47A0
                      • GetLastError.KERNEL32(00000004,00AB48D9), ref: 00AB47BD
                      • SysFreeString.OLEAUT32(?), ref: 00AB47CA
                      • SetLastError.KERNEL32(?), ref: 00AB47E4
                      • GetLastError.KERNEL32 ref: 00AB47F7
                      • SysFreeString.OLEAUT32(?), ref: 00AB481C
                      • SetLastError.KERNEL32(?), ref: 00AB4830
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString$H_prolog3
                      • String ID:
                      • API String ID: 746121330-0
                      • Opcode ID: 462c3063b3c343909913c8c6030a2d7618232706782a57e5f651ac3eb84ff3c5
                      • Instruction ID: 4dc2c92de4e89422a4d5ade2e3679fb4158f6018a5d3cfef22bf48dd1508cec7
                      • Opcode Fuzzy Hash: 462c3063b3c343909913c8c6030a2d7618232706782a57e5f651ac3eb84ff3c5
                      • Instruction Fuzzy Hash: 68113675900604DFCB21DFA8C988B5DBBF0FF08314F688598E959AB362CBB1E910CB14
                      Function 00B0ABC2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B0ABC9
                      • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryW,00000004,00B075F9), ref: 00B0ABDE
                      • GetProcAddress.KERNEL32(00000000), ref: 00B0ABE5
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                      • GetLastError.KERNEL32 ref: 00B0AC21
                        • Part of subcall function 00B0ACE0: __EH_prolog3_GS.LIBCMT ref: 00B0ACE7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3$AddressH_prolog3_HandleModuleProc
                      • String ID: RemoveDirectoryW$kernel32.dll
                      • API String ID: 2400663618-3934976865
                      • Opcode ID: 4310255967323cc3d1be76c4b1216ecd1ef2b209b3cd04620546ca262dddcaa6
                      • Instruction ID: f8295683820d555a915cf31772dcb4e7082326c5ed840cd7303295791c08ccc7
                      • Opcode Fuzzy Hash: 4310255967323cc3d1be76c4b1216ecd1ef2b209b3cd04620546ca262dddcaa6
                      • Instruction Fuzzy Hash: 8BF0A977501604ABDF20EFB4CD0965E3BE8BF04311F504158F915DB251DB74C601C795
                      Function 00AC119E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 00AC11B8
                      • RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,00B669A8,?), ref: 00AC11DE
                      • RegCloseKey.ADVAPI32(?), ref: 00AC11F9
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog$`{Al
                      • API String ID: 3677997916-588308929
                      • Opcode ID: 7d99cf64435cbc8f4ddf7ad1ee9a8dc318abd76a9c4cc265c9b20479973c1406
                      • Instruction ID: 02423162103a212edf4e37970c1bfaf9edf582da9f8ba3b38734534d01f5053c
                      • Opcode Fuzzy Hash: 7d99cf64435cbc8f4ddf7ad1ee9a8dc318abd76a9c4cc265c9b20479973c1406
                      • Instruction Fuzzy Hash: 4FF089B5344244BFDB348B91DD4AF9E7FFCEB45B01F200189FA02E20E0DAF555059664
                      Function 00AD83BD Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ADA1B4: __EH_prolog3.LIBCMT ref: 00ADA1BB
                        • Part of subcall function 00ADA1B4: lstrcmpiW.KERNEL32(?,00000000,00AD8449,?,?,?,6D9FB08F,?,?,?,?,?,00B2867E,000000FF), ref: 00ADA232
                      • CharNextW.USER32(?), ref: 00AD850A
                      • CharNextW.USER32(00000000), ref: 00AD8527
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext$H_prolog3lstrcmpi
                      • String ID:
                      • API String ID: 1581910369-0
                      • Opcode ID: 774f64da76052aa165b52ea85f1c7ed740aa6019cd0336fdd18c9ddf212ed225
                      • Instruction ID: 578d2755048f7cfe0139f604a8513840e6a22dca11c95e374ae5834cfd5d64d0
                      • Opcode Fuzzy Hash: 774f64da76052aa165b52ea85f1c7ed740aa6019cd0336fdd18c9ddf212ed225
                      • Instruction Fuzzy Hash: 59A16C71900228DBDB25DF64DD499EDB7B5EB28350F1141EBE60AA3290DB389E94CF90
                      Function 00AD27B3 Relevance: 9.1, APIs: 6, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memset$BrowseFolderFromH_prolog3_ListMallocPath
                      • String ID:
                      • API String ID: 1804835819-0
                      • Opcode ID: 108d3630d62e1973fb2908e45f938b1c6fb7fad8770093db12427e3377a18b87
                      • Instruction ID: c86d5d506ab2fcc85503cc860e50d13a8fd793157dd8ca12ca6178b53fa727b7
                      • Opcode Fuzzy Hash: 108d3630d62e1973fb2908e45f938b1c6fb7fad8770093db12427e3377a18b87
                      • Instruction Fuzzy Hash: 87513C71A002589EDF10EB64CD45BEEB7F8BF55300F0481EAE18AA7291DF749A85CF91
                      Function 00B0A884 Relevance: 9.1, APIs: 6, Instructions: 110registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B0A88B
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B0AD39: __EH_prolog3.LIBCMT ref: 00B0AD40
                      • LoadTypeLib.OLEAUT32(?,?), ref: 00B0A900
                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B0A91A
                      • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00B0A9BC
                        • Part of subcall function 00B0AA46: GetVersionExW.KERNEL32(?), ref: 00B0AA6A
                        • Part of subcall function 00B063AA: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00B063E2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3$ErrorLastOverridePredefType$LoadRegisterVersion
                      • String ID:
                      • API String ID: 3828359244-0
                      • Opcode ID: ea3b30a98baf31cf018f1984d3b4a4a527f76eb58dd6b50ff39a3b95d72028db
                      • Instruction ID: ec9052437d4205cfde45c272fc3f0a84ad0cbfd4a66051d9fc969c04ba01109b
                      • Opcode Fuzzy Hash: ea3b30a98baf31cf018f1984d3b4a4a527f76eb58dd6b50ff39a3b95d72028db
                      • Instruction Fuzzy Hash: 10416870A00209EFDF14DFA5C884AAD3BE8EF15344F608899F9059B291DB75D945CB62
                      Function 00B184A0 Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,6D9FB08F,?,?), ref: 00B184EE
                      • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?), ref: 00B18506
                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?), ref: 00B1851E
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00B18534
                      • CloseHandle.KERNEL32(00000000,?,?), ref: 00B1856C
                      • CloseHandle.KERNEL32(?,?,?), ref: 00B18578
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandle$MappingSizeView
                      • String ID:
                      • API String ID: 2246244431-0
                      • Opcode ID: 79b8d4cfa909638e8ab12d7677ce5e069548169e3fdf64f8932d934c27dcce04
                      • Instruction ID: a0160b9580a9da6dcb5a6e4f891c08905e673f29c9f37715f69f0bf969c24705
                      • Opcode Fuzzy Hash: 79b8d4cfa909638e8ab12d7677ce5e069548169e3fdf64f8932d934c27dcce04
                      • Instruction Fuzzy Hash: D431B131600644BBE7218F698C85FAFBBBCFB56B20F604159FE15A72C0CF749A4086A0
                      Function 00B18740 Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00B187C6
                      • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00B187E9
                      • RealizePalette.GDI32(00000000), ref: 00B187FD
                      • CreateDIBitmap.GDI32(00000000,00B19E3A,00000004,?,00B19E3A,00000000), ref: 00B1881F
                      • SelectPalette.GDI32(00000000,00B19E3A,00000000), ref: 00B18833
                      • ReleaseDC.USER32(00000000,00000000), ref: 00B1883C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Palette$Select$BitmapCreateRealizeRelease
                      • String ID:
                      • API String ID: 1213237138-0
                      • Opcode ID: 92dc64dbe8ec64c3e8ede47a1d04081f4fe71d70179ebfeec2c40c7197e3d53c
                      • Instruction ID: 09f14a86fb9a12fc80fc9105a93a699b438e0139eb56bacac7ae7d58101a2de4
                      • Opcode Fuzzy Hash: 92dc64dbe8ec64c3e8ede47a1d04081f4fe71d70179ebfeec2c40c7197e3d53c
                      • Instruction Fuzzy Hash: 30319370201304EFE7249F29CC88BAABBE9FB08311F608559F949C7290DB75E950CF90
                      Function 00AF0F79 Relevance: 9.1, APIs: 6, Instructions: 68stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00000000,00000004,?,?,?,00AC61AF,?), ref: 00AF0F90
                      • lstrcpyW.KERNEL32(00000000,?,?,?,00AC61AF,?), ref: 00AF0FAF
                      • lstrcatW.KERNEL32(00000000,00B37904,?,?,00AC61AF,?), ref: 00AF0FBB
                      • lstrlenW.KERNEL32(00000000,?,?,00AC61AF,?), ref: 00AF0FC4
                      • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00AC61AF,?), ref: 00AF0FDE
                      • GetLastError.KERNEL32(?,?,00AC61AF,?), ref: 00AF0FE8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
                      • String ID:
                      • API String ID: 4043630017-0
                      • Opcode ID: d253510ac413bb83883ccd69327f8f28fb18f56939dfa750783cd5e44f2d47c0
                      • Instruction ID: 440e3c4dec6a4548106aa3058ba4847345b27631305124d18bf9a8e11fadf951
                      • Opcode Fuzzy Hash: d253510ac413bb83883ccd69327f8f28fb18f56939dfa750783cd5e44f2d47c0
                      • Instruction Fuzzy Hash: C6115E72610309FBEB245BB5DC46EAF7BACEB44361F20411AFA06D7191EE74D98087A4
                      Function 00AC0E57 Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AC0E5E
                      • GetLastError.KERNEL32(00000004,00AC0E29,?,00000000,?,00000001), ref: 00AC0E80
                      • SetLastError.KERNEL32(?), ref: 00AC0EBB
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00AC0EDC
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000037,00000000,00000000,00000000), ref: 00AC0F03
                      • SetLastError.KERNEL32(?), ref: 00AC0F11
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$ByteCharMultiWide$H_prolog3
                      • String ID:
                      • API String ID: 1573742327-0
                      • Opcode ID: 58f92ab68b40c9d0bf0eee8f175a3ae4e5c002b87de0badc8e3ee478a3465e63
                      • Instruction ID: b85618db1fbf13edf7c6399dcd20dd0ea42d667d4d657b5f00a26e647470a6a3
                      • Opcode Fuzzy Hash: 58f92ab68b40c9d0bf0eee8f175a3ae4e5c002b87de0badc8e3ee478a3465e63
                      • Instruction Fuzzy Hash: 89214875500A05EFDB20CF68D948B99BBF4FF08304F208169F549AB6A1C7B0AA50DB94
                      Function 00AF1237 Relevance: 9.1, APIs: 6, Instructions: 61stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyW.KERNEL32(?,?,-00000004,00000008,00000000), ref: 00AF1270
                      • _wcsrchr.LIBCMT ref: 00AF127B
                      • _wcsrchr.LIBCMT ref: 00AF1291
                      • CharNextW.USER32(00000000), ref: 00AF129F
                      • lstrcpyW.KERNEL32(?,?), ref: 00AF12B9
                      • lstrcpyW.KERNEL32(?,00000000), ref: 00AF12C2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcpy$_wcsrchr$CharNext
                      • String ID:
                      • API String ID: 3722002711-0
                      • Opcode ID: be29459c2cba3074a7a90158d46d518533c28556fe1a04a46315d50ba8ce96ad
                      • Instruction ID: e26b382c9204badd58dfb0b8a180eac7fc89de70ebeb616c92da3800ca6be335
                      • Opcode Fuzzy Hash: be29459c2cba3074a7a90158d46d518533c28556fe1a04a46315d50ba8ce96ad
                      • Instruction Fuzzy Hash: AC11777690021CAFCB60DFA4DD41EAE77F8FB49710F1085AAF685E3240DE309E448B94
                      Function 00ABC2BA Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABC31B
                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00ABC331
                      • CloseHandle.KERNEL32(?), ref: 00ABC33D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CloseHandleMessageMultipleObjectsPeekWait
                      • String ID:
                      • API String ID: 2837130844-0
                      • Opcode ID: 4df606dcfe9dc719cbc6d5b2dc5947796b17fa914c80b0c1ee1879096d90467c
                      • Instruction ID: 55466c19abe1438181dcbfc5b37eaab0c9e33be04bb570aba5201e4ea906ec40
                      • Opcode Fuzzy Hash: 4df606dcfe9dc719cbc6d5b2dc5947796b17fa914c80b0c1ee1879096d90467c
                      • Instruction Fuzzy Hash: 8711C831640206FBEB305F64DC0DFEABBFCAB10361F604025E655DA0D6EBB59585C7A1
                      Function 00B18E95 Relevance: 9.1, APIs: 6, Instructions: 51filewindowCOMMON
                      Download Yara Rule
                      APIs
                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00B18ECA
                      • SetViewportOrgEx.GDI32(00B13CDE,00000000,00000000,00000000), ref: 00B18EDC
                      • SetViewportExtEx.GDI32(00B13CDE,?,?,00000000), ref: 00B18EEB
                      • PlayMetaFile.GDI32(00B13CDE,00000000), ref: 00B19798
                      • DeleteDC.GDI32(?), ref: 00B197A1
                      • RestoreDC.GDI32(00B13CDE,?), ref: 00B197AB
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Viewport$DeleteFileMetaPlayRestoreStretch
                      • String ID:
                      • API String ID: 547996562-0
                      • Opcode ID: 15f37c4f58f8b7d205afde1ee95c8eb1610d52beeb076ba2a827aff5351e06b8
                      • Instruction ID: 0d81b84341c12cf51d596390377c9173ed3e019840c5785674435eee70555c5d
                      • Opcode Fuzzy Hash: 15f37c4f58f8b7d205afde1ee95c8eb1610d52beeb076ba2a827aff5351e06b8
                      • Instruction Fuzzy Hash: DA112D32A40608FBDB215FD4DD86FAEBB76FF48B00F204044F206B60A0CB766951AB55
                      Function 00AD6E37 Relevance: 9.0, APIs: 6, Instructions: 30windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(00000000,00000000), ref: 00AD6E58
                      • EnableWindow.USER32(00000000), ref: 00AD6E5B
                      • GetDlgItem.USER32(00000000,00000001), ref: 00AD6E72
                      • EnableWindow.USER32(00000000), ref: 00AD6E75
                      • GetDlgItem.USER32(00000000), ref: 00AD6E84
                      • SetFocus.USER32(00000000), ref: 00AD6E87
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Item$EnableWindow$Focus
                      • String ID:
                      • API String ID: 864471436-0
                      • Opcode ID: a04721f530a04b0952a237f2498f84fc907419614e22c47a1d6d6d830aa4a955
                      • Instruction ID: 02327a9302b64be5de72cf0cd7551a871f2d0839a528e606846cb644ef2f6cc6
                      • Opcode Fuzzy Hash: a04721f530a04b0952a237f2498f84fc907419614e22c47a1d6d6d830aa4a955
                      • Instruction Fuzzy Hash: CEF0D432010648EBCF216F91EC08F9E3B6AFB80702F154825F501A25B0CFB6A864DE61
                      Function 00AE9AC8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 224registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE9AD2
                      • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\Environment,00000000,00020019,?,000000BC,00AEA756,?,?,PATH,?,00000001), ref: 00AE9B15
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AA3730: SysStringLen.OLEAUT32(?), ref: 00AA373E
                        • Part of subcall function 00AA3730: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AA3758
                        • Part of subcall function 00AA3730: _wmemcpy_s.LIBCMT ref: 00AA3785
                      • RegEnumValueW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?), ref: 00AE9C4D
                        • Part of subcall function 00AA3860: GetLastError.KERNEL32(6D9FB08F,?,?,?,?,00B308D8,000000FF), ref: 00AA38A2
                        • Part of subcall function 00AA3860: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,00B308D8,000000FF), ref: 00AA38FE
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • RegEnumValueW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?,?,00000400,?,00000400), ref: 00AE9D10
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0), ref: 00AA352F
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00AA35C9
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35E3
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35F0
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,SOFTWARE\InstallShield\25.0\Professional), ref: 00AA3614
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0), ref: 00AA361A
                      Strings
                      • SYSTEM\CurrentControlSet\Control\Session Manager\Environment, xrefs: 00AE9B0B
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$String$Free$EnumValue$AllocH_prolog3_Open_wmemcpy_s
                      • String ID: SYSTEM\CurrentControlSet\Control\Session Manager\Environment
                      • API String ID: 802081060-1561130620
                      • Opcode ID: 0db77e9e87e272e93df6414f12266f0bc1e75fd36f8310d34c79f29cdd574a47
                      • Instruction ID: 5e9d82c1a042a1a8c74af045f7954af205ab0fddeec41a8adcf9c8766f72bd45
                      • Opcode Fuzzy Hash: 0db77e9e87e272e93df6414f12266f0bc1e75fd36f8310d34c79f29cdd574a47
                      • Instruction Fuzzy Hash: 3CA14B71C00258DEDB25DBA4CD91BEEBBB8BF19304F24409DE146A7282DB702E49DF61
                      Function 00ADC3F9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADC403
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                        • Part of subcall function 00AB08A9: __EH_prolog3.LIBCMT ref: 00AB08B0
                        • Part of subcall function 00AB1233: __EH_prolog3_GS.LIBCMT ref: 00AB123D
                        • Part of subcall function 00AB1233: SysStringLen.OLEAUT32(?), ref: 00AB1363
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB1372
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB13B7
                        • Part of subcall function 00AB09F6: __EH_prolog3.LIBCMT ref: 00AB09FD
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$ErrorFreeH_prolog3H_prolog3_Last$Alloc
                      • String ID: IS_temp$eprq$runfromtemp$tempdisk1folder
                      • API String ID: 2107722048-2885546089
                      • Opcode ID: 3e04708e282b792b868ba9188c3ed058fddfe8492db5c5953fda6f31d399d2c6
                      • Instruction ID: 8a504821d68f31432d76f21459ce2faa1cab7882d5c49feb86a59945dfeafbca
                      • Opcode Fuzzy Hash: 3e04708e282b792b868ba9188c3ed058fddfe8492db5c5953fda6f31d399d2c6
                      • Instruction Fuzzy Hash: EF715C31900259EEDB25EB90CD56FEEBBB8AF51300F5040E9E10A771D2DBB01B89DB61
                      Function 00AE5582 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE558C
                        • Part of subcall function 00AC76A3: __EH_prolog3_GS.LIBCMT ref: 00AC76AA
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeH_prolog3_LastString$H_prolog3
                      • String ID: $..\..\..\Shared\Setup\SetupPrereqMgr.cpp$TRANSFORMS=$Transform list: %s
                      • API String ID: 518544201-300284800
                      • Opcode ID: 042d71a60418d6c68148aef837a0036e13e2460803b62d83deb93d21018b18d1
                      • Instruction ID: 71ada8eaff06bdfbcfec81e21f9cb2f1c9f76ed6a282afc4f950793c327b1e14
                      • Opcode Fuzzy Hash: 042d71a60418d6c68148aef837a0036e13e2460803b62d83deb93d21018b18d1
                      • Instruction Fuzzy Hash: 67518D71D10218EEDB14DBA4CD91BEEB3B8AF15300F2441AAF046A7192EB705F49DB61
                      Function 00AEA694 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEA69E
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AA3730: SysStringLen.OLEAUT32(?), ref: 00AA373E
                        • Part of subcall function 00AA3730: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AA3758
                      • GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,00000104,000000B8,00AE805B,?,?,00B37904,00000000,00000000,?,?,?), ref: 00AEA6FB
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0), ref: 00AA352F
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00AA35C9
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35E3
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35F0
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,SOFTWARE\InstallShield\25.0\Professional), ref: 00AA3614
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0), ref: 00AA361A
                      • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,0000003B,00000000,?,00000001,?,?,PATH,?,00000001), ref: 00AEA7C7
                      • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000024C), ref: 00AEA830
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$String$Free$EnvironmentExpandStrings$AllocCurrentDirectoryH_prolog3_
                      • String ID: PATH
                      • API String ID: 1955952499-1036084923
                      • Opcode ID: ef5b12de286f0d15859161e762d65a15d990e0851468c13ba0d01fbc0a74114d
                      • Instruction ID: e8980e7b54722a776e21c8061bc48ffc87f3dcb4a6148adaf3deb711da5c1606
                      • Opcode Fuzzy Hash: ef5b12de286f0d15859161e762d65a15d990e0851468c13ba0d01fbc0a74114d
                      • Instruction Fuzzy Hash: 4A515C71900258EEDB25EBA4CD55BEEBBB4BF15300F1440A9E145A7292DB706F48CF62
                      Function 00B065A6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00B06619
                      • _memmove.LIBCMT ref: 00B06652
                      • _memmove.LIBCMT ref: 00B0668A
                      • _memmove.LIBCMT ref: 00B066B3
                        • Part of subcall function 00AF2E39: std::exception::exception.LIBCMT ref: 00AF2E4C
                        • Part of subcall function 00AF2E39: __CxxThrowException@8.LIBCMT ref: 00AF2E61
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID: deque<T> too long
                      • API String ID: 1300846289-309773918
                      • Opcode ID: c8772c4fb090a522c325f036a30ca8d47fb9c5cf20cb6e56d97b950bc5da7e68
                      • Instruction ID: 86cdab118c7d643fb6015a0da85b3aa01ae509232a9e94c2167b3fa0923d25cf
                      • Opcode Fuzzy Hash: c8772c4fb090a522c325f036a30ca8d47fb9c5cf20cb6e56d97b950bc5da7e68
                      • Instruction Fuzzy Hash: AD41DC73D00625ABC7209F94CD416ABBBA8EF40360F148369E925E3681D771EE14CBD0
                      Function 00AD57FA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD5804
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00ADD595: __EH_prolog3_GS.LIBCMT ref: 00ADD59C
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3_String
                      • String ID: %s%d$UpgardeTable$count$key
                      • API String ID: 2608676048-2647550720
                      • Opcode ID: 5ab7cede3293418e01c80aafbe1411515bce86d7b4464c12d17aa6d3bf392e9d
                      • Instruction ID: b99521a0f28babeaf7fbaa5a7174e9da8c172e224d49158829a2b1746c18f250
                      • Opcode Fuzzy Hash: 5ab7cede3293418e01c80aafbe1411515bce86d7b4464c12d17aa6d3bf392e9d
                      • Instruction Fuzzy Hash: A3519A31D00259EEEB24EBA4CD55FEEB7B8BF51300F544099E106A71D2EBB06B48DB61
                      Function 00AB64D4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB64DE
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB5E3D: __EH_prolog3_GS.LIBCMT ref: 00AB5E44
                        • Part of subcall function 00AB6703: __EH_prolog3.LIBCMT ref: 00AB670A
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00B09355: __EH_prolog3_GS.LIBCMT ref: 00B0935F
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
                      • String ID: .ini$0x%04x$FontSize$Properties
                      • API String ID: 827811706-3572762767
                      • Opcode ID: 3eeb17fde6ff4e979ea2573f13e9ea5829e2d0ee6580eea36a388b8f0654e19a
                      • Instruction ID: ca8ed51940733fc4cef63a585f49abbc1c7a56a6093e14e011b8f83e2a227b33
                      • Opcode Fuzzy Hash: 3eeb17fde6ff4e979ea2573f13e9ea5829e2d0ee6580eea36a388b8f0654e19a
                      • Instruction Fuzzy Hash: 41319F71D00258FADF14E7A4CD06BEDBBB8AB25300F1441D9F145A71C2EBB45B48DBA2
                      Function 00B0A4E9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B0A4F0
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B0AD39: __EH_prolog3.LIBCMT ref: 00B0AD40
                        • Part of subcall function 00AAF879: __EH_prolog3_GS.LIBCMT ref: 00AAF883
                        • Part of subcall function 00B0A793: __EH_prolog3_GS.LIBCMT ref: 00B0A79A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorH_prolog3Last
                      • String ID: .DLL$.EXE$.OCX$.TLB
                      • API String ID: 1247511005-324785130
                      • Opcode ID: 00f3305012d3f35f08c71c578bc1edb2c6321d456e65cdb6dae237ca82efbdb9
                      • Instruction ID: c7e052560ff77ab941d1042be76ba2b24c69fcb312ecfc7afb541d730811dcab
                      • Opcode Fuzzy Hash: 00f3305012d3f35f08c71c578bc1edb2c6321d456e65cdb6dae237ca82efbdb9
                      • Instruction Fuzzy Hash: 5F31D5B5900209BFDF05FF64C9829BE3FF8EF11350B5044A9F8055B1A2EB318A56DB92
                      Function 00AF263A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyW.KERNEL32(?,?,00000000), ref: 00AF2673
                      • lstrcpyW.KERNEL32(?,00AB1124), ref: 00AF267D
                        • Part of subcall function 00AF136D: lstrlenW.KERNEL32(?,74E2F860,?,00AF268B,?), ref: 00AF1379
                      • _swscanf.LIBCMT ref: 00AF26F2
                        • Part of subcall function 00AF6A0E: _vscan_fn.LIBCMT ref: 00AF6A22
                      • _swscanf.LIBCMT ref: 00AF271B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _swscanflstrcpy$_vscan_fnlstrlen
                      • String ID: %u.%u.%u.%u
                      • API String ID: 1604777239-1542503432
                      • Opcode ID: ca97d969593f27820dc1e66aa7b17477f82f715cb62906371be2141033be1fa0
                      • Instruction ID: 41c858d9d7ce4ffb3a9cd494c2e826eda3ea1e3fbb4beaf205ffa28973b778ef
                      • Opcode Fuzzy Hash: ca97d969593f27820dc1e66aa7b17477f82f715cb62906371be2141033be1fa0
                      • Instruction Fuzzy Hash: FB31CEF2D1112CAACB20EF94CD44ADEB7BCAB48710F5045E6B709E3141D630AB85CF98
                      Function 00ADE50B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADE512
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AA3730: SysStringLen.OLEAUT32(?), ref: 00AA373E
                        • Part of subcall function 00AA3730: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AA3758
                        • Part of subcall function 00AF0334: __EH_prolog3_GS.LIBCMT ref: 00AF033E
                        • Part of subcall function 00AF0334: _memset.LIBCMT ref: 00AF0371
                        • Part of subcall function 00AF0334: GetModuleFileNameW.KERNEL32(?,00000104), ref: 00AF038B
                        • Part of subcall function 00AF0334: _memset.LIBCMT ref: 00AF03B8
                        • Part of subcall function 00AF0334: _memset.LIBCMT ref: 00AF0403
                        • Part of subcall function 00AF0334: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 00AF0417
                        • Part of subcall function 00AF0334: GetTempFileNameW.KERNELBASE(?,00B3E664,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF0431
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0), ref: 00AA352F
                        • Part of subcall function 00AA34F0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00AA35C9
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35E3
                        • Part of subcall function 00AA34F0: SysFreeString.OLEAUT32(?), ref: 00AA35F0
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,SOFTWARE\InstallShield\25.0\Professional), ref: 00AA3614
                        • Part of subcall function 00AA34F0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0), ref: 00AA361A
                        • Part of subcall function 00AF66B9: __wtof_l.LIBCMT ref: 00AF66C1
                      • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000005C,00ABFB16,?), ref: 00ADE5A6
                      • SystemTimeToVariantTime.OLEAUT32(?,?), ref: 00ADE5BC
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$String$Time_memset$FileFreeH_prolog3_NameTemp$AllocLocalModulePathSystemVariant__wtof_l
                      • String ID: ExpireDate$Startup
                      • API String ID: 2576575598-3358940881
                      • Opcode ID: 39fcbeb3472476b3503cbb980cdaf25293630e2988933355021fae649e745f32
                      • Instruction ID: 6feff3d02eed76630568f6d95ba66bc35eec87ffa31e16a89680bbc063f8d10f
                      • Opcode Fuzzy Hash: 39fcbeb3472476b3503cbb980cdaf25293630e2988933355021fae649e745f32
                      • Instruction Fuzzy Hash: 5E216DB2D00618AFCF01EFE4C985ADEBBF8EF09340F204165E102BB196EB759655DB94
                      Function 00AB81AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB81B3
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                      • LoadLibraryW.KERNEL32(?,?,00000001,0000006C,00ACE981,?,?,00000000,?), ref: 00AB81DC
                      • GetLastError.KERNEL32 ref: 00AB81F3
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3H_prolog3_LastLibraryLoad
                      • String ID: Failed to load ISSetup.dll$IsMsiHelper.cpp
                      • API String ID: 1370564055-251664514
                      • Opcode ID: 769647a4bb9901139088eb1fef956d061533e486208a80e00bcb532a5ad41cc0
                      • Instruction ID: 6bc421bdbe227d1b6a6472318ebe2539718abfd14c44b253c21e9b73edee08ba
                      • Opcode Fuzzy Hash: 769647a4bb9901139088eb1fef956d061533e486208a80e00bcb532a5ad41cc0
                      • Instruction Fuzzy Hash: 41219270D05648EFDB20DBA8CD49BEE7BB8BB11300F144159F541A71D2DBB85E49CBA1
                      Function 00AF2755 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                      • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00AF2782
                      • _memset.LIBCMT ref: 00AF27A2
                      • wsprintfW.USER32 ref: 00AF27BA
                        • Part of subcall function 00AF0CBB: __EH_prolog3_GS.LIBCMT ref: 00AF0CC5
                      • LocalFree.KERNEL32(?), ref: 00AF27D5
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FormatFreeH_prolog3_LocalMessage_memsetwsprintf
                      • String ID: %s %s
                      • API String ID: 1431993970-2939940506
                      • Opcode ID: b73b3d148b4b1bc372c20f9d56a3cd284784c4b42342978006f3d86b39c7a64a
                      • Instruction ID: e98073d7fde575e02edce89af6dd5fff0421172bc23b98acc1cc63f9c8e56f06
                      • Opcode Fuzzy Hash: b73b3d148b4b1bc372c20f9d56a3cd284784c4b42342978006f3d86b39c7a64a
                      • Instruction Fuzzy Hash: AC01527594011CBADF60ABA1DD09EEF7BFCFB49701F004095BA45E7150DE709A898B90
                      Function 00AF1859 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43stringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfW.USER32 ref: 00AF1880
                        • Part of subcall function 00AF1199: lstrcpyW.KERNEL32(?,?,?,?), ref: 00AF11DD
                        • Part of subcall function 00AF1199: _wcsrchr.LIBCMT ref: 00AF11E8
                        • Part of subcall function 00AF1199: CharNextW.USER32(00000000), ref: 00AF11F6
                        • Part of subcall function 00AF1199: lstrcpyW.KERNEL32(?,?), ref: 00AF1214
                        • Part of subcall function 00AF1199: lstrcpyW.KERNEL32(?,00000000), ref: 00AF121D
                        • Part of subcall function 00AF0E43: lstrlenW.KERNEL32(?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82), ref: 00AF0E4B
                        • Part of subcall function 00AF0E43: lstrcpynW.KERNEL32(?,?,-00000001,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E6F
                        • Part of subcall function 00AF0E43: lstrcatW.KERNEL32(?,?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E8C
                      • lstrcatW.KERNEL32(?,.ini,?,?,?,00B6B748,?,?), ref: 00AF18B2
                      • lstrcpyW.KERNEL32(?,?), ref: 00AF18C1
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcpy$lstrcat$CharNext_wcsrchrlstrcpynlstrlenwsprintf
                      • String ID: %#04x$.ini
                      • API String ID: 3831616985-866680231
                      • Opcode ID: 243e9036b7a8952256834adb0627b64e1177ff37aa436484ef0b78f38bbc3329
                      • Instruction ID: bade9e693d270924cdf6d3ed24beb50f374703f9c2bdfa166215e401fa6dde4b
                      • Opcode Fuzzy Hash: 243e9036b7a8952256834adb0627b64e1177ff37aa436484ef0b78f38bbc3329
                      • Instruction Fuzzy Hash: 3B01287690060CABCB11EBA4DD05CFF77BCFB49715B508055FA05A3150DB30AA058BA5
                      Function 00AD8A70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AD8A97
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AD8AA7
                        • Part of subcall function 00AD91D5: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00AD8A87,?,?), ref: 00AD91E7
                        • Part of subcall function 00AD91D5: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00AD91F7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: Advapi32.dll$RegDeleteKeyExW
                      • API String ID: 1646373207-2191092095
                      • Opcode ID: 7013ab5972adad017b940b6e942ab53483a4d0f42bf280ebc9f514614fa5d127
                      • Instruction ID: 26a8e8acd401cc81148058209786911368426bffc19e0fbdd66d7119c00bcb33
                      • Opcode Fuzzy Hash: 7013ab5972adad017b940b6e942ab53483a4d0f42bf280ebc9f514614fa5d127
                      • Instruction Fuzzy Hash: EA016279205601EBDF218F94DC14F563BA8AB04780F69441BF547E32B0CFB99850AF92
                      Function 00AC019E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID: /m1$/m2
                      • API String ID: 3213498283-2289526375
                      • Opcode ID: a62477796267e98012280d53a706a30e35501f27bd979fa02625d57062535375
                      • Instruction ID: f6bbde022600d45c3a93acab4ffed662bf07edf029e6112ea6050a245b456034
                      • Opcode Fuzzy Hash: a62477796267e98012280d53a706a30e35501f27bd979fa02625d57062535375
                      • Instruction Fuzzy Hash: 5EE02B74954628E9C628A7754F95D3D3DACDA11724F2742AE7003520E1CE540D86EBD1
                      Function 00B155B0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(6D9FB08F,00000158,00000000,00000000), ref: 00B155FB
                      • SetLastError.KERNEL32(00B36418), ref: 00B1562D
                      • GetLastError.KERNEL32 ref: 00B1563D
                      • SetLastError.KERNEL32(00B36418), ref: 00B15669
                        • Part of subcall function 00B15C90: GetLastError.KERNEL32(6D9FB08F,74DEE010,00000000,?,?,00B303B8,000000FF,?,00B1569D,?,00000000), ref: 00B15CCE
                        • Part of subcall function 00B15C90: SetLastError.KERNEL32(00B36418,00000000,00B3D3E8,00000000,?,00B1569D,?,00000000), ref: 00B15D2A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID: ALL
                      • API String ID: 1452528299-2914988887
                      • Opcode ID: 21fcff749f7575102cca3f971b141fbdf39b0bf60b14a796ec8a0db257a60926
                      • Instruction ID: f69c4f7838b8c7134306ddee42ec579c86a18df575aa511258978ff9c325dbe1
                      • Opcode Fuzzy Hash: 21fcff749f7575102cca3f971b141fbdf39b0bf60b14a796ec8a0db257a60926
                      • Instruction Fuzzy Hash: 20815B71900218EECF24DFA4CC81BEEB7F8EF55310F9441AAE515A72D1EB706A44CBA1
                      Function 00AC5BB7 Relevance: 7.6, APIs: 5, Instructions: 130windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC5BC1
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB6B22: __EH_prolog3_GS.LIBCMT ref: 00AB6B29
                        • Part of subcall function 00AB675F: __EH_prolog3_GS.LIBCMT ref: 00AB6769
                      • SendMessageW.USER32(00000000,00000401,00000000,00000001), ref: 00AC5CEB
                      • GetDlgItem.USER32(00000000,0000012D), ref: 00AC5D40
                      • SendMessageW.USER32(00000000,0000000F,00000000,00000000), ref: 00AC5D4B
                      • SendMessageW.USER32(00000000,00000401,00000000,00000000), ref: 00AC5D57
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_MessageSend$ErrorLast$Item
                      • String ID:
                      • API String ID: 3498289266-0
                      • Opcode ID: 1ab374697c47ef2793b2236e09d3dd74da7a7b9f90a56e85fed4a149a7b3b928
                      • Instruction ID: 2aab03a9343a05492d824f554ddbfcccdd38ab6771d0dcc1e4b3ad3b142ed19e
                      • Opcode Fuzzy Hash: 1ab374697c47ef2793b2236e09d3dd74da7a7b9f90a56e85fed4a149a7b3b928
                      • Instruction Fuzzy Hash: 0A517070A01258EFDF20EBA4CD86BEE77B8AF55300F1400A9F145AB192DB746E45CBA1
                      Function 00B1AB4C Relevance: 7.6, APIs: 5, Instructions: 126COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: a03886ae4c016c619efcf61442cbf10ecaf0cd446ba12783cd027aba8e8b3cf8
                      • Instruction ID: 46c94870ee582b3d1e932e37be2f3dacbf63d994b6e4a7427346a0237e1e69c5
                      • Opcode Fuzzy Hash: a03886ae4c016c619efcf61442cbf10ecaf0cd446ba12783cd027aba8e8b3cf8
                      • Instruction Fuzzy Hash: C74124B1A01206ABCF284F54CC91AA6F7F5EF04345F6088AFF992C6146D335E6D0CB95
                      Function 00AD8D65 Relevance: 7.6, APIs: 5, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      • CharNextW.USER32(?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F,?,?,?,?,?,00B2867E), ref: 00AD8DA0
                      • CharNextW.USER32(?,?,?,00000000,?,?,?,?,00AD842E,?,6D9FB08F), ref: 00AD8E26
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID:
                      • API String ID: 3213498283-0
                      • Opcode ID: c424615b93ac0842a052c958bb8db303810280c5f81cbd5e7e60772a0816c4a0
                      • Instruction ID: 64d41fa54478e8604eda37dba353c6da750667a0efad050a14fe1fd819eca913
                      • Opcode Fuzzy Hash: c424615b93ac0842a052c958bb8db303810280c5f81cbd5e7e60772a0816c4a0
                      • Instruction Fuzzy Hash: CC419175610306DFCB209F68C88066EB7B6FF68341B65451AE98697354EF78EE80CB90
                      Function 00ABC351 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABC35B
                      • GetDlgItem.USER32(?,0000040B), ref: 00ABC36B
                        • Part of subcall function 00ABBFEF: __EH_prolog3_GS.LIBCMT ref: 00ABBFF6
                        • Part of subcall function 00ABBFEF: IsWindow.USER32(?), ref: 00ABC03F
                        • Part of subcall function 00ABBFEF: SendMessageW.USER32(?,00001061,?,00000008), ref: 00ABC054
                      • _memset.LIBCMT ref: 00ABC3C4
                      • _wcscpy.LIBCMT ref: 00ABC3F1
                      • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00ABC48E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_MessageSend$ItemWindow_memset_wcscpy
                      • String ID:
                      • API String ID: 728581405-0
                      • Opcode ID: 8d055d578b184abce7b2ab095aeb3dd615919b63cb28de9889183b7b6c1d133d
                      • Instruction ID: 93f5a3387e7fa1a270e5eb4dfad36b0c1bc2bd3e9c1f564e8f314cffef61c0c9
                      • Opcode Fuzzy Hash: 8d055d578b184abce7b2ab095aeb3dd615919b63cb28de9889183b7b6c1d133d
                      • Instruction Fuzzy Hash: 4A318231900218ABDB20EB64CD49EEE77B9BF44310F1481A9F549A7192DF70DE84CF90
                      Function 00ABE467 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABE46E
                      • IsWindow.USER32(00000000), ref: 00ABE485
                      • GetTickCount.KERNEL32 ref: 00ABE4C6
                      • SendDlgItemMessageW.USER32(00000000,000003EC,0000000C,00000000,-00000004), ref: 00ABE50B
                      • SendDlgItemMessageW.USER32(00000000,000003ED,0000000C,00000000,-00000004), ref: 00ABE54D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ItemMessageSend$CountH_prolog3_TickWindow
                      • String ID:
                      • API String ID: 3497138821-0
                      • Opcode ID: a7ddc7b2b9d130a52c1163ce0fdc3e58b5588a643549a9cc50929471b62fa35a
                      • Instruction ID: 831db4bda8fd04ee9ae45f99cb54b2a937eb0c701221b8b762a34c28558f9526
                      • Opcode Fuzzy Hash: a7ddc7b2b9d130a52c1163ce0fdc3e58b5588a643549a9cc50929471b62fa35a
                      • Instruction Fuzzy Hash: 1F312C75A00208EFDB25EFA4CD45BEEBBB9FF44715F100119F516A7292EB30AA02CB15
                      Function 00AFC3E5 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 00AFC3F1
                        • Part of subcall function 00AF6529: __FF_MSGBANNER.LIBCMT ref: 00AF6540
                        • Part of subcall function 00AF6529: __NMSG_WRITE.LIBCMT ref: 00AF6547
                        • Part of subcall function 00AF6529: RtlAllocateHeap.NTDLL(00DB0000,00000000,00000001,00000000,?,00000000,?,00AF780F,00000008,00000008,00000008,?,?,00AFF433,00000018,00B5DA98), ref: 00AF656C
                      • _free.LIBCMT ref: 00AFC404
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AllocateHeap_free_malloc
                      • String ID:
                      • API String ID: 1020059152-0
                      • Opcode ID: 4824d6557d1b05ff970541481717f6987f8d577e9ef5eda3f95c72fc69d82024
                      • Instruction ID: 7cfd6c54dca70beac3d18b1ea516350e2b6a934a420a0623bc9a73e80cf15a1e
                      • Opcode Fuzzy Hash: 4824d6557d1b05ff970541481717f6987f8d577e9ef5eda3f95c72fc69d82024
                      • Instruction Fuzzy Hash: 6911C632940A1DAFCF313FF5EE6967937D8AF043B1B208529FB459B191DF7488408690
                      Function 00AF1199 Relevance: 7.6, APIs: 5, Instructions: 59stringCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcpy$CharNext_wcsrchr
                      • String ID:
                      • API String ID: 2742890867-0
                      • Opcode ID: 5b649d9b0120aeb5e41aa0ab090fe30fb14c8d871006ab7c01ca9c513767a907
                      • Instruction ID: bab242550ff76ba325d8f1a3f3cdcb3971f4f166cf75a6043781ca3b238e742d
                      • Opcode Fuzzy Hash: 5b649d9b0120aeb5e41aa0ab090fe30fb14c8d871006ab7c01ca9c513767a907
                      • Instruction Fuzzy Hash: 74115E729002189BDB61DFA4DC40AAFB7F8FF49710F1081AAEA85D3240DE349E448B94
                      Function 00AF2454 Relevance: 7.5, APIs: 5, Instructions: 44fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AF245B
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00B070E3: __EH_prolog3_GS.LIBCMT ref: 00B070ED
                      • SetErrorMode.KERNEL32(00008001,0000000A), ref: 00AF24AB
                      • SetFileAttributesW.KERNEL32(0000000A,00000080), ref: 00AF24B5
                      • DeleteFileW.KERNEL32(0000000A), ref: 00AF24BE
                      • SetErrorMode.KERNEL32(00000000), ref: 00AF24CE
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFileH_prolog3Mode$AttributesDeleteH_prolog3_
                      • String ID:
                      • API String ID: 2831870221-0
                      • Opcode ID: 5d04f2d0c7a7c8d4ac067f3257a0017c07bb7d6b63d456838b79d0de138972b9
                      • Instruction ID: 2f1c79cd1d668f300ec9e89d10211dbf1a0089d05905294aae3924a088e9cb16
                      • Opcode Fuzzy Hash: 5d04f2d0c7a7c8d4ac067f3257a0017c07bb7d6b63d456838b79d0de138972b9
                      • Instruction Fuzzy Hash: 8E01D672A40208ABFB10ABF48D0677E7FA4AF14750F108111FF15AB1E1DBB18A519BC1
                      Function 00AEAE96 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 208COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AEAE9D
                        • Part of subcall function 00AAFF23: __EH_prolog3.LIBCMT ref: 00AAFF2A
                        • Part of subcall function 00AA55C0: SysFreeString.OLEAUT32(?), ref: 00AA55CE
                        • Part of subcall function 00AAF066: SysFreeString.OLEAUT32(00000000), ref: 00AAF075
                        • Part of subcall function 00AE6D24: __EH_prolog3_GS.LIBCMT ref: 00AE6D2B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FreeH_prolog3_String$H_prolog3
                      • String ID: REBOOTPROMPT=S$/passive$uiet
                      • API String ID: 2750253538-3557179144
                      • Opcode ID: eaa82b96cf2f0e26a58645a5e11e47b5b9bb1e28fbd958d4e09727fdfc2d407d
                      • Instruction ID: f3612e27c1d8aa3c720d06b06f5f4f7c75a2a6edad821df80c7db1fa9677d01b
                      • Opcode Fuzzy Hash: eaa82b96cf2f0e26a58645a5e11e47b5b9bb1e28fbd958d4e09727fdfc2d407d
                      • Instruction Fuzzy Hash: 9F61D532A00254AEDB24EBA4DD96FFE77B8EF51720F304229F521AB0D1DB606E45C761
                      Function 00AB675F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 178COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB6769
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB5E3D: __EH_prolog3_GS.LIBCMT ref: 00AB5E44
                        • Part of subcall function 00AB6703: __EH_prolog3.LIBCMT ref: 00AB670A
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00B0C665: __EH_prolog3.LIBCMT ref: 00B0C66C
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00B0DB79: __EH_prolog3_GS.LIBCMT ref: 00B0DB83
                        • Part of subcall function 00AAC58D: __EH_prolog3_GS.LIBCMT ref: 00AAC594
                        • Part of subcall function 00B0E2FB: __EH_prolog3.LIBCMT ref: 00B0E302
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$H_prolog3$ErrorLast$FreeString
                      • String ID: %ld$.ini$0x%04x
                      • API String ID: 1830939593-494970429
                      • Opcode ID: 3ecd27ebbdafcea325124a74bd209e4ccd0bae60782137f0f01e49913cf80dff
                      • Instruction ID: 7f3b8f831684c3ef4dab7e481599eb50fa5ce1ae1572598fed1e22635564349f
                      • Opcode Fuzzy Hash: 3ecd27ebbdafcea325124a74bd209e4ccd0bae60782137f0f01e49913cf80dff
                      • Instruction Fuzzy Hash: 9A716B71C0125CEADF10EBE4CD46BEEBBB8AF15304F1440D9E545A7282DBB45B48DBA2
                      Function 00ADE0D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADE0DA
                        • Part of subcall function 00ADC6C9: __EH_prolog3_catch.LIBCMT ref: 00ADC6D0
                        • Part of subcall function 00ADC6C9: lstrcmpW.KERNEL32(?,00B45168,?,?,00B45168,?,?,00000004,00ADEBEE,Startup,Source,00000001,?,00000400,00000452), ref: 00ADC6F8
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_H_prolog3_catch_malloclstrcmp
                      • String ID: Creating setup dialog...$Startup$session.cpp
                      • API String ID: 43970051-4223746603
                      • Opcode ID: a67deb3be56a992d1d3a0c45a67db2c6d3f7e174c20d6ee1ce22066bcae4be7a
                      • Instruction ID: 6555796e76002c5cb250ac2619fa05e15397c68170ba94d89fdd9dc7d31c7fb7
                      • Opcode Fuzzy Hash: a67deb3be56a992d1d3a0c45a67db2c6d3f7e174c20d6ee1ce22066bcae4be7a
                      • Instruction Fuzzy Hash: 73516D30A00259AFDF25EB64CD59BDDB7B8AB15300F4002EAE159A71D2EF705F85CB91
                      Function 00AC28ED Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124registryCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC28F7
                        • Part of subcall function 00ADEB4A: __EH_prolog3_GS.LIBCMT ref: 00ADEB54
                        • Part of subcall function 00AA1410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00AA1434
                        • Part of subcall function 00AA1410: RegCloseKey.ADVAPI32(00000000), ref: 00AA1497
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB66D5: __EH_prolog3.LIBCMT ref: 00AB66DC
                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00AC2A2B
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 00AC293A
                      • %%IS_PREREQCMD%%-%s, xrefs: 00AC29C2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$CloseDeleteH_prolog3HandleModuleValue
                      • String ID: %%IS_PREREQCMD%%-%s$Software\Microsoft\Windows\CurrentVersion
                      • API String ID: 542918927-2925278765
                      • Opcode ID: ec4e196914afbf6a27c7e36796a82f3a42486057ec93dad6ca2f0fb79a1955f7
                      • Instruction ID: 9e5d828dd776752335c47464d9fc2ee2ab337fa096df5e1ac7d7d8d29d636c32
                      • Opcode Fuzzy Hash: ec4e196914afbf6a27c7e36796a82f3a42486057ec93dad6ca2f0fb79a1955f7
                      • Instruction Fuzzy Hash: 81515A71900218EFDB24DFA4CD85FEEB7B4AF05304F1041ADE556AB292DB70AA49CF51
                      Function 00ABAA71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • DownloadFiles: %s, xrefs: 00ABAB28
                      • ..\..\..\Shared\Setup\IsPreReqDlg.cpp, xrefs: 00ABAB2E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_Window
                      • String ID: ..\..\..\Shared\Setup\IsPreReqDlg.cpp$DownloadFiles: %s
                      • API String ID: 2696129371-3939366323
                      • Opcode ID: a4aa562e2c83cf8f22c90184d014e877e076543af0bc15b69323469becf0d53e
                      • Instruction ID: ada2fca6ffeadb21ea87cd3e4eb5c39fd05d293945b3b8a6bcb34f9d6f5c4be0
                      • Opcode Fuzzy Hash: a4aa562e2c83cf8f22c90184d014e877e076543af0bc15b69323469becf0d53e
                      • Instruction Fuzzy Hash: DA419E71D00248EFCB10EFA4C981ADDBBF9BF14304F24406EE515AB292EB759A04DBA1
                      Function 00AE8F22 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • CSetupPreRequisite::ExecuteMsiWithProgress, xrefs: 00AE8F6E
                      • Launching MSI prerequisite %s, command line %s, xrefs: 00AE906F
                      • ..\..\..\Shared\Setup\SetupPreRequisite.cpp, xrefs: 00AE8F51, 00AE9075
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID: ..\..\..\Shared\Setup\SetupPreRequisite.cpp$CSetupPreRequisite::ExecuteMsiWithProgress$Launching MSI prerequisite %s, command line %s
                      • API String ID: 2427045233-3035870728
                      • Opcode ID: 9c151febb1f32cb9f5e529d178d765168e2774d00e84a102761e0bd79244c596
                      • Instruction ID: 18aa8b7591df84647c5c5528f63bb623ac285fe15870f9984fc420245e6b4256
                      • Opcode Fuzzy Hash: 9c151febb1f32cb9f5e529d178d765168e2774d00e84a102761e0bd79244c596
                      • Instruction Fuzzy Hash: 4D51AC70904358EEDB21EBA4CD45BEEBBB8AF15310F5001D9E049A70D2DB746B89CB61
                      Function 00ABC0CB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • Delaying required MSI Reboot, xrefs: 00ABC18C
                      • User chose to reboot later. Exiting., xrefs: 00ABC208
                      • ..\..\..\Shared\Setup\IsPreReqDlg.cpp, xrefs: 00ABC172, 00ABC1F1
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID: ..\..\..\Shared\Setup\IsPreReqDlg.cpp$Delaying required MSI Reboot$User chose to reboot later. Exiting.
                      • API String ID: 2427045233-873802752
                      • Opcode ID: 350a283cf455d22e94f401610c53ae2d5ce20a03657b704c96669658551e325c
                      • Instruction ID: d59aa79e96ca163030dc320ce35849589ef807e4629a797d41ee9b6d8abdf2bd
                      • Opcode Fuzzy Hash: 350a283cf455d22e94f401610c53ae2d5ce20a03657b704c96669658551e325c
                      • Instruction Fuzzy Hash: 4C417170900248EFEB14EBB4C855FED77B8BB52320F20405DE242AB1E3DBB55949CB51
                      Function 00AD466B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD4672
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AC10B8: __EH_prolog3_GS.LIBCMT ref: 00AC10BF
                        • Part of subcall function 00AC76A3: __EH_prolog3_GS.LIBCMT ref: 00AC76AA
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString
                      • String ID: /n %s$:InstanceId%d.mst$MSINEWINSTANCE=1
                      • API String ID: 1274762985-3737453586
                      • Opcode ID: 406e33b8db0e7ae05325be150206fb8df983a629a029caeaf05af398c70c0562
                      • Instruction ID: 8be5cbe502d5bb11f476f0ee45c445cca2cdba35a5cb2863622bba18275588e5
                      • Opcode Fuzzy Hash: 406e33b8db0e7ae05325be150206fb8df983a629a029caeaf05af398c70c0562
                      • Instruction Fuzzy Hash: 8E414071C04259EBCF14DFE4C991ADDBBB8BF15304F24416EE106A7282DB709A09DB51
                      Function 00ACCBC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACCBCD
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00ACCA9F: __EH_prolog3_GS.LIBCMT ref: 00ACCAA6
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AAF37B: __EH_prolog3.LIBCMT ref: 00AAF382
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000400,?,00000400,?,?,00000000,00000000,ISSetup.dll,?,00000001,000000A8,00ACE8AD,?), ref: 00ACCC69
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AAC58D: __EH_prolog3_GS.LIBCMT ref: 00AAC594
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$String$FreeH_prolog3$AllocFileModuleName
                      • String ID: ISSetup.dll$ISSetup.dll
                      • API String ID: 3766261395-1816852773
                      • Opcode ID: 3d570cc24d5deb497d36ebe00fabec61dabe876baa379189a28819ff01eacfb6
                      • Instruction ID: 9cee6a0227e51e2fcb5d9f8e880a30fe64a09b57b3030c7a8470ce1e46b4ec95
                      • Opcode Fuzzy Hash: 3d570cc24d5deb497d36ebe00fabec61dabe876baa379189a28819ff01eacfb6
                      • Instruction Fuzzy Hash: 6A418471D01218EEDB11EBA4CD56BEEB7B8AF12310F104199F156A71D2EB701F09DB91
                      Function 00AB10D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB10DB
                        • Part of subcall function 00AB13F3: __EH_prolog3_GS.LIBCMT ref: 00AB13FA
                      • lstrcpyW.KERNEL32(?,00000000,?,00000000,?,00000000,MsiVersion,000000A4,00AB2F68), ref: 00AB1178
                      • lstrcpyW.KERNEL32(?,?), ref: 00AB119E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_lstrcpy
                      • String ID: MsiVersion
                      • API String ID: 378676564-1669961159
                      • Opcode ID: e3e5b36430bde4b739f7ab874323ca5323187022bd81f3d7f924541ecde882c8
                      • Instruction ID: 559809cc8538b8bd2ba998952beaf6fc79a737d31f8b50e87f3ff156cb2ec13f
                      • Opcode Fuzzy Hash: e3e5b36430bde4b739f7ab874323ca5323187022bd81f3d7f924541ecde882c8
                      • Instruction Fuzzy Hash: 70415E71A00218EFDF14DBA4DD95BDDB3B9BF49310F5001A9E609AB192DB70AE84CF61
                      Function 00B10D09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B10D10
                        • Part of subcall function 00B109A3: __EH_prolog3.LIBCMT ref: 00B109AA
                        • Part of subcall function 00B109A3: GetLastError.KERNEL32(00000004,00B10D2E,?,00000001,0000003C,00B111B7,?,00000000,00000000,00000000,?,?,00000001), ref: 00B109D2
                        • Part of subcall function 00B109A3: SetLastError.KERNEL32(?,?), ref: 00B109FE
                      • _Find_unchecked1.LIBCPMT ref: 00B10D55
                      • SysStringLen.OLEAUT32(?), ref: 00B10E06
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3Last$Find_unchecked1String
                      • String ID: ;
                      • API String ID: 637338078-1661535913
                      • Opcode ID: fcd75b770d566bb997e2f127071d4510d085618d0e52efc41915d3d8d296538b
                      • Instruction ID: d7b2e8da0b458e30341c5a41a3b00dad51d6629ed4436a67f0bfb63adb66c918
                      • Opcode Fuzzy Hash: fcd75b770d566bb997e2f127071d4510d085618d0e52efc41915d3d8d296538b
                      • Instruction Fuzzy Hash: D231D471910209EBDF14FFA4D991AEE73F4EF04300F9080A9F8559B292DBB4AAC5C751
                      Function 00B0A793 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00B0A79A
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B0AD39: __EH_prolog3.LIBCMT ref: 00B0AD40
                        • Part of subcall function 00AAC449: __EH_prolog3.LIBCMT ref: 00AAC450
                        • Part of subcall function 00AAC449: GetLastError.KERNEL32(00000004,00AAC6DF,00000000,?,00000000,00000004,00AAF608,-00000004,?,00000001,?,00000000), ref: 00AAC472
                        • Part of subcall function 00AAC449: SetLastError.KERNEL32(?,00000000,?), ref: 00AAC4B3
                        • Part of subcall function 00AAC58D: __EH_prolog3_GS.LIBCMT ref: 00AAC594
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00B09667: __EH_prolog3_GS.LIBCMT ref: 00B09671
                        • Part of subcall function 00B09667: _memset.LIBCMT ref: 00B0970A
                        • Part of subcall function 00B09667: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00B6DA70,?,00000000,00B0A85F,0000000A,00000000), ref: 00B09782
                        • Part of subcall function 00B09667: GetLastError.KERNEL32 ref: 00B0979D
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3$H_prolog3_$FreeString$CreateProcess_memset
                      • String ID: /REGSERVER$ /UNREGSERVER$open
                      • API String ID: 2413291776-1423703008
                      • Opcode ID: 5f9237911dd0cc3d4c48722ae7dde5cd807ad1a76cf802246237ecadc500b378
                      • Instruction ID: b30b3a2b1e4861c4493ad6e64b10ade4455c7e2db447b10e3bbad5dbb2ada692
                      • Opcode Fuzzy Hash: 5f9237911dd0cc3d4c48722ae7dde5cd807ad1a76cf802246237ecadc500b378
                      • Instruction Fuzzy Hash: 0C21B275E40348AFEB00EBA4C913BEDBBF89F55710F544094F904AB2C2DBB54A0997E6
                      Function 00ADCA84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memsetwsprintf
                      • String ID: %s/%s$Location
                      • API String ID: 1984265443-42320356
                      • Opcode ID: eb754ea18bad3801f56056e71c5448d8c4137bceb13cd4e7018b3e144685ec3c
                      • Instruction ID: 94f55c53cd7047252963ebe5f4fd730dbb8288ba103ad3d01cbed60d0ed497c2
                      • Opcode Fuzzy Hash: eb754ea18bad3801f56056e71c5448d8c4137bceb13cd4e7018b3e144685ec3c
                      • Instruction Fuzzy Hash: 71215E72940208AFCB24EB94DC45FEBB7F8FB05714F0086A9B556E7191DB74AA44CB90
                      Function 00B15D50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00B15D97
                      • _memset.LIBCMT ref: 00B15DA4
                        • Part of subcall function 00B1A210: GetDC.USER32(?), ref: 00B1A219
                        • Part of subcall function 00B1A210: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B1A22A
                        • Part of subcall function 00B1A210: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00B1A231
                        • Part of subcall function 00B1A210: ReleaseDC.USER32(?,00000000), ref: 00B1A239
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CapsDevice_memset$Release
                      • String ID: d$d
                      • API String ID: 2582967517-195624457
                      • Opcode ID: 42de90ee59733e42b246c5211e921bd1f29c7f4cc81c3debcf9f1d1b94881979
                      • Instruction ID: 437154e8f455cc3ed80dee925cf66bc1bbb5f20714c0f626fe9a8211032d18cf
                      • Opcode Fuzzy Hash: 42de90ee59733e42b246c5211e921bd1f29c7f4cc81c3debcf9f1d1b94881979
                      • Instruction Fuzzy Hash: 092138B1640344DFDB54DF59C8C5B8ABBE8FB08714F1041AAEE049B386D3BAA904CF94
                      Function 00ADC0E6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}, xrefs: 00ADC184
                      • Extracting setup.ini..., xrefs: 00ADC124
                      • session.cpp, xrefs: 00ADC10E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}$Extracting setup.ini...$session.cpp
                      • API String ID: 2427045233-4221544504
                      • Opcode ID: 82236eb7d6f5a0238b4e24d713b6e50d0fa76b5f21bc8bfcb5bf6f97766e63b5
                      • Instruction ID: 6457b718e9c953327c4fe344b3af0a618d512dc1143e08736cf511c4acbccd10
                      • Opcode Fuzzy Hash: 82236eb7d6f5a0238b4e24d713b6e50d0fa76b5f21bc8bfcb5bf6f97766e63b5
                      • Instruction Fuzzy Hash: DD11BF71A00259AFDB10EBE4CD91FAE77B8AB11310F504169F002A71E2DB785E0ACB60
                      Function 00AC01D8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      • CharNextW.USER32 ref: 00AC01F6
                        • Part of subcall function 00ADAEB4: _memset.LIBCMT ref: 00ADAF12
                        • Part of subcall function 00ADAEB4: _memset.LIBCMT ref: 00ADAF2D
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString_memset$CharNext
                      • String ID: #$/noscript_uninst$noscript_uninst
                      • API String ID: 1702018720-2275952584
                      • Opcode ID: fbb517becdca004975a23d18e7084d75ea6574a97570b9305691b46658a3e883
                      • Instruction ID: 34054fe5e085d95409a984e93f3d4e448d736df94052b54daa9e696c48a5e873
                      • Opcode Fuzzy Hash: fbb517becdca004975a23d18e7084d75ea6574a97570b9305691b46658a3e883
                      • Instruction Fuzzy Hash: 4D01FC70644208AEDB18EBA0CDA6FBE7678DF51710F1002A8F103661D2EF701F82DBA1
                      Function 00ADE45E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44stringCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00ADE48D
                        • Part of subcall function 00AAD24B: __EH_prolog3_GS.LIBCMT ref: 00AAD252
                      • lstrlenW.KERNEL32(?,Startup,ClickOncePackage,00B45168,?,00000400), ref: 00ADE4BF
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3__memsetlstrlen
                      • String ID: ClickOncePackage$Startup
                      • API String ID: 1437836783-2858441910
                      • Opcode ID: 010397201d61a2a1d672ac68adb92c9f97cfc5b35e6686dccd18cc63a4af5c1e
                      • Instruction ID: b3911e46f5e9557742a6a865cc3aecca3513f35d5a5e0dca14351546e2ecb40b
                      • Opcode Fuzzy Hash: 010397201d61a2a1d672ac68adb92c9f97cfc5b35e6686dccd18cc63a4af5c1e
                      • Instruction Fuzzy Hash: 8501DBA5A802086AD730EB649D46AAA73ECFB04700F4054A6A645E71C1EA709E088794
                      Function 00ADCA03 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_
                      • String ID: /qb$/qn$/quiet
                      • API String ID: 2427045233-508938941
                      • Opcode ID: d745a7628021a3d5384cf41f17f25aad4968807684d96ded6e60be538ba29ab7
                      • Instruction ID: 67884db9eb155b60839e61a7cc29c6950eef1501b7313e2dc7d31e93550b0bf2
                      • Opcode Fuzzy Hash: d745a7628021a3d5384cf41f17f25aad4968807684d96ded6e60be538ba29ab7
                      • Instruction Fuzzy Hash: 3B018C31A0021D9ACB14EFE0C894AADB7B0AF18324FA54269E1226B2E0D7305906DB00
                      Function 00AF13A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AF13AC
                        • Part of subcall function 00AB675F: __EH_prolog3_GS.LIBCMT ref: 00AB6769
                      • wsprintfW.USER32 ref: 00AF13EE
                      • wvsprintfW.USER32(?,?,?), ref: 00AF1409
                        • Part of subcall function 00AF0BC1: __EH_prolog3_GS.LIBCMT ref: 00AF0BCB
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorFreeLastString$wsprintfwvsprintf
                      • String ID: %d: %s
                      • API String ID: 244791219-204819183
                      • Opcode ID: 7eb512f2abaa00a2078defa054ed8f2997ea42ff51dc68b9f62d755b2d687fd8
                      • Instruction ID: 994d5a8b930a11924d539eebea946a6f38f1c04b4564cbf894bd1005cbe2d11e
                      • Opcode Fuzzy Hash: 7eb512f2abaa00a2078defa054ed8f2997ea42ff51dc68b9f62d755b2d687fd8
                      • Instruction Fuzzy Hash: A50129B180011DEBCF20EBA0CC45EED77BCBB04318F1041A6F219A7191DA34AA85CF58
                      Function 00ABCD70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,00ABAC1D,?,?,00000000,?,?,?,?,?,?), ref: 00ABCD80
                      • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00ABCD90
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: Advapi32.dll$RegCreateKeyTransactedW
                      • API String ID: 1646373207-2994018265
                      • Opcode ID: 06a5e9bb1053d496aab296f7783fdf6fb1810244e158e98c39df74bb23b33cb5
                      • Instruction ID: ade8139d87e08cf9ac5d85fd618fcf691b4061f7c737554eddf38315a7d93b61
                      • Opcode Fuzzy Hash: 06a5e9bb1053d496aab296f7783fdf6fb1810244e158e98c39df74bb23b33cb5
                      • Instruction Fuzzy Hash: B4F0F936140609FBDF221F94DD04FDA3FA9FF08761F144529FA44A50A1C772C4A0EB90
                      Function 00AD91D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00AD8A87,?,?), ref: 00AD91E7
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00AD91F7
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                      • API String ID: 1646373207-2168864297
                      • Opcode ID: 3d5347217ca1a4962f7399c63d68ad3e302481cc6c9212974d9e62ed03973406
                      • Instruction ID: 71c12207fec7ff7221ba6ef44452d782799a6ba21d860d138bd0882abf656b58
                      • Opcode Fuzzy Hash: 3d5347217ca1a4962f7399c63d68ad3e302481cc6c9212974d9e62ed03973406
                      • Instruction Fuzzy Hash: 0EF0A732244A04BB87301FA6AC08D9BBBEDFFC1B61B50443BF546E2111CB31C421D670
                      Function 00B08A40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,?,00B09938,?), ref: 00B08A4D
                      • GetProcAddress.KERNEL32(00000000), ref: 00B08A54
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetProcessId$kernel32.dll
                      • API String ID: 1646373207-399901964
                      • Opcode ID: aa90c48e4cb8ae1c20aef3d47c52a38cc6a73a90087d3f758bf52dd1bad27063
                      • Instruction ID: 7c76b2ab74b0718e8092c3433c1f6b6ca4ca92408afe11e1dc5ea10bc51776a4
                      • Opcode Fuzzy Hash: aa90c48e4cb8ae1c20aef3d47c52a38cc6a73a90087d3f758bf52dd1bad27063
                      • Instruction Fuzzy Hash: B4D01231784F0C6FDB106BF5AC09A293F9CEA4065175400A1B50DE14A0EE62C6209B60
                      Function 00AE0B02 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00AE0B0F
                      • GetProcAddress.KERNEL32(00000000), ref: 00AE0B16
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: SetDefaultDllDirectories$kernel32.dll
                      • API String ID: 1646373207-2102062458
                      • Opcode ID: 00ea2b3c878396c2c4eb796699156dfa5bf1832f8327e07df683e7829149fce9
                      • Instruction ID: cc38b77b724a4ec2cea453e844e8ff54088e9dbb16ff6892c720afaea6a35960
                      • Opcode Fuzzy Hash: 00ea2b3c878396c2c4eb796699156dfa5bf1832f8327e07df683e7829149fce9
                      • Instruction Fuzzy Hash: 6DC01232384B206BCA7067FD3C0AF6A698CBB04A92F640494B245F60A0DEE0C8008BA0
                      Function 00AC909D Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ADCC6F: __EH_prolog3_GS.LIBCMT ref: 00ADCC79
                      • lstrcmpiW.KERNEL32(-00000004,?,?,-00000004,PackageCode,?,00000032,?), ref: 00AC90F9
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                        • Part of subcall function 00AC58F1: __EH_prolog3.LIBCMT ref: 00AC58F8
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00B070E3: __EH_prolog3_GS.LIBCMT ref: 00B070ED
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$ErrorH_prolog3Last$lstrcmpi
                      • String ID: F$InstallSource$PackageName
                      • API String ID: 4151595970-1171492974
                      • Opcode ID: 5e13a810eb1c5127e8993892592f35664f978a2faaee16103a2669339a6f2f86
                      • Instruction ID: 0967b4f5f1505c78613aadb22356cd26cd3c496bf4df1465d8793a2dd7991590
                      • Opcode Fuzzy Hash: 5e13a810eb1c5127e8993892592f35664f978a2faaee16103a2669339a6f2f86
                      • Instruction Fuzzy Hash: 1F817C71A02258DEDF15DB64CE55BEEBBB8AF16300F0440D8E04A67282DB745F84DF52
                      Function 00ADA406 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ADA410
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00B45168,?,00000001), ref: 00ADA5B4
                        • Part of subcall function 00AE5021: __EH_prolog3.LIBCMT ref: 00AE5028
                      • _memset.LIBCMT ref: 00ADA655
                      • _memset.LIBCMT ref: 00ADA66D
                        • Part of subcall function 00AD4073: __EH_prolog3.LIBCMT ref: 00AD407A
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_memset$FileH_prolog3_ModuleName_malloc
                      • String ID:
                      • API String ID: 1040074069-0
                      • Opcode ID: 38c146f0d5341433b12645ce77e811e0d5917744a54c68950851b8d486b8b8bd
                      • Instruction ID: f8c12a3b84efc157b9e301366716c21d9245a2e6da2f2789f8144cfed4aafb05
                      • Opcode Fuzzy Hash: 38c146f0d5341433b12645ce77e811e0d5917744a54c68950851b8d486b8b8bd
                      • Instruction Fuzzy Hash: 0C71E170901749DEDB20DF7989947DAFBF4BF18300F5088AEE19AD3281DBB09A45CB91
                      Function 00AB434C Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB4356
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • _wcsncpy.LIBCMT ref: 00AB447A
                      • _memmove.LIBCMT ref: 00AB4509
                      • _memmove.LIBCMT ref: 00AB452E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString_memmove$H_prolog3__wcsncpy
                      • String ID:
                      • API String ID: 127149598-0
                      • Opcode ID: 7e9160e99635e089d99d6bb1c3b50bd0fe57053086857eed418ffa443c8b49d2
                      • Instruction ID: 116e43aa87024be05e9010b03a1485f541e4f5515c5191a5064aba728c12f1ca
                      • Opcode Fuzzy Hash: 7e9160e99635e089d99d6bb1c3b50bd0fe57053086857eed418ffa443c8b49d2
                      • Instruction Fuzzy Hash: 005160719002299BDB24DFA4CD91BEEB7B9FF44310F1482A9E01A97182EB749E84CF51
                      Function 00AF85D6 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AdjustPointer_memmove
                      • String ID:
                      • API String ID: 1721217611-0
                      • Opcode ID: 307f023f0d22aae1b5357f9535cc9af6ebc4f9e13d168061b072ae0d07941573
                      • Instruction ID: fe67a1a1f3ed5528f623070b4846fae55f55cd34846cfd83c2d55bdc9834af3e
                      • Opcode Fuzzy Hash: 307f023f0d22aae1b5357f9535cc9af6ebc4f9e13d168061b072ae0d07941573
                      • Instruction Fuzzy Hash: B741D53620434A9EEB246F94DD82B7A73A59F517A0F34002EFB409B1E1DF7AE880D615
                      Function 00AAEE82 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AAEE89
                      • _strlen.LIBCMT ref: 00AAEEB6
                      • MultiByteToWideChar.KERNEL32(00000008,00000000,?,00000001,00000000,00000000,00000044,00AAEE59,00B3C124,?,00000000,00000008,00000040,invalid string position,?,00AAEDA9), ref: 00AAEECF
                      • MultiByteToWideChar.KERNEL32(00000008,00000000,?,00000000,00000000,00000000,?,00AAEDA9,00000000,?,?,00000000,?,00AAE851,?), ref: 00AAEEFD
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$H_prolog3__strlen
                      • String ID:
                      • API String ID: 708778256-0
                      • Opcode ID: cabd9bcbeca0d1f9900e1f2b85ca7b5c5bf1fb283a957b63843d2329d19937ae
                      • Instruction ID: f2cb4db6e9338ee151756eed8b5b9ac2493020fd799062917f4cd9e14030c2ba
                      • Opcode Fuzzy Hash: cabd9bcbeca0d1f9900e1f2b85ca7b5c5bf1fb283a957b63843d2329d19937ae
                      • Instruction Fuzzy Hash: 65417271901219AFDB14EBA8CD85BFEBBB8EF46320F240229F515EB2D1DB749D019760
                      Function 00AB1233 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$Free$H_prolog3_
                      • String ID:
                      • API String ID: 332078091-0
                      • Opcode ID: c9822f53796511e27364485a15ed12b98574a65a0b99a319c86d6799aeb2c81e
                      • Instruction ID: df1cd363360ec89157ffd2ccd012a221187fa52c5dec05cfb637cf8c2603aa20
                      • Opcode Fuzzy Hash: c9822f53796511e27364485a15ed12b98574a65a0b99a319c86d6799aeb2c81e
                      • Instruction Fuzzy Hash: A4519870D042199FDB24CFA4C895BEDBBB8FF05320F20819DE466AB292DB705A85CF10
                      Function 00AA4470 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(6D9FB08F,?,74DEDFA0,74DEE010), ref: 00AA4533
                      • SysFreeString.OLEAUT32(?), ref: 00AA454F
                      • SysFreeString.OLEAUT32(?), ref: 00AA455A
                      • SetLastError.KERNEL32(?), ref: 00AA457A
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString
                      • String ID:
                      • API String ID: 3822639702-0
                      • Opcode ID: ae7f83e50437655412196c057340505b2ac44fc35413b9679330207585109037
                      • Instruction ID: 12d4bf2a3ecc23f4e0edfc8931e0275c75544ee21139daf1bb3c883f11d7dff9
                      • Opcode Fuzzy Hash: ae7f83e50437655412196c057340505b2ac44fc35413b9679330207585109037
                      • Instruction Fuzzy Hash: D1417C31A04209AFCF10DF68C941BAA77F4FF4A714F104629F816A72D1DB71EA04CB90
                      Function 00AD6E92 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD6E99
                        • Part of subcall function 00AD6859: __EH_prolog3_GS.LIBCMT ref: 00AD6860
                        • Part of subcall function 00AD6859: IsWindow.USER32(?), ref: 00AD68A6
                        • Part of subcall function 00AD6859: SendMessageW.USER32(?,00001061,?,00000008), ref: 00AD68BB
                      • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00AD6F6F
                      • SendMessageW.USER32(?,00001036,00000000,00000020), ref: 00AD6F88
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AD6F96
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$H_prolog3_$Window
                      • String ID:
                      • API String ID: 1329796335-0
                      • Opcode ID: 8b02b741cb17ed5d73173231ece13bd4147093bc9194b4587df69ea1080f861a
                      • Instruction ID: ed6847bdcc1280abe0039ae26d35ebaa4f1206ea3ef19fbb315615ffae7dc371
                      • Opcode Fuzzy Hash: 8b02b741cb17ed5d73173231ece13bd4147093bc9194b4587df69ea1080f861a
                      • Instruction Fuzzy Hash: 6331C931A40614ABCB21EF60D995BEEBBB4AF19750F14401EF557AB3D1CB70AD05CB50
                      Function 00B00E74 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B00EA8
                      • __isleadbyte_l.LIBCMT ref: 00B00ED6
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00AF528C,00000001,00000000,00000000,?,00000000,00000000,?,?,00AF528C,00000000), ref: 00B00F04
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00AF528C,00000001,00000000,00000000,?,00000000,00000000,?,?,00AF528C,00000000), ref: 00B00F3A
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: 16ffcb7853a3012aa3c5a1bd08799ee734a22d1391e7dfec82f9ad64e34aa730
                      • Instruction ID: 8fd08c5bbd5db00a19b06cd6f375ae7d1b1218a0bd14152f44ca1ca2a5aee0c1
                      • Opcode Fuzzy Hash: 16ffcb7853a3012aa3c5a1bd08799ee734a22d1391e7dfec82f9ad64e34aa730
                      • Instruction Fuzzy Hash: D931CD31A1024AAFDB31AF64C884BBA7FE5FF41310F1549A8F8149B1E1E730E851EB90
                      Function 00AB0B42 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SysStringLen.OLEAUT32(00000001), ref: 00AB0B77
                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00AB0BCF
                      • SysStringLen.OLEAUT32(00000001), ref: 00AB0BE4
                      • SysFreeString.OLEAUT32(00000001), ref: 00AB0C21
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$AllocFree
                      • String ID:
                      • API String ID: 344208780-0
                      • Opcode ID: 9f9a27834f6f69b797587e370eabe640b5df4fe3fdf5904f507c24d49eedc5b2
                      • Instruction ID: a4818729826cff4b357fa532ec3d111d4b4a1c7f50793bff6f5d851034860788
                      • Opcode Fuzzy Hash: 9f9a27834f6f69b797587e370eabe640b5df4fe3fdf5904f507c24d49eedc5b2
                      • Instruction Fuzzy Hash: FB215175900209FFDB10AFA8D945EDFBBBCEF08354F108829F945D6212E775DA148B54
                      Function 00B09A5B Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceExW.KERNEL32(?,00000006,?,?,?,00000001,?,?,00AB69A5,?,?,?,?,?,00000001), ref: 00B09A7A
                      • FindResourceExW.KERNEL32(?,00000006,00000001,?,?,00000001,?,?,00AB69A5,?,?,?,?,?,00000001), ref: 00B09AB2
                      • FindResourceExW.KERNEL32(?,00000006,00000001,00000400,?,00000001,?,?,00AB69A5,?,?,?,?,?,00000001), ref: 00B09ADF
                      • FindResourceExW.KERNEL32(?,00000006,00000001,00000000,?,00000001,?,?,00AB69A5,?,?,?,?,?,00000001), ref: 00B09B09
                        • Part of subcall function 00B099E7: __EH_prolog3_GS.LIBCMT ref: 00B099EE
                        • Part of subcall function 00B099E7: LoadResource.KERNEL32(?,?,00000038,00B09B24,?,?,?,?,?,00000001,?,?,00AB69A5,?,?,?), ref: 00B09A05
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Resource$Find$H_prolog3_Load
                      • String ID:
                      • API String ID: 4133745404-0
                      • Opcode ID: 58617b5e5857cca172c5738128ac2709d7557c271b1299a9074d5ae7d28bc881
                      • Instruction ID: 5a7e5558596d0bb3d07e20c5c73b92320acb2183234cb28705bdb8b61831dc8c
                      • Opcode Fuzzy Hash: 58617b5e5857cca172c5738128ac2709d7557c271b1299a9074d5ae7d28bc881
                      • Instruction Fuzzy Hash: 672139B5500209BAEF209F55DC02EEB3FEDEF05360F008091FE19A6192EB32DA119B60
                      Function 00AEA5DD Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 00AEA619
                        • Part of subcall function 00AF6529: __FF_MSGBANNER.LIBCMT ref: 00AF6540
                        • Part of subcall function 00AF6529: __NMSG_WRITE.LIBCMT ref: 00AF6547
                        • Part of subcall function 00AF6529: RtlAllocateHeap.NTDLL(00DB0000,00000000,00000001,00000000,?,00000000,?,00AF780F,00000008,00000008,00000008,?,?,00AFF433,00000018,00B5DA98), ref: 00AF656C
                      • _memset.LIBCMT ref: 00AEA624
                      • _memset.LIBCMT ref: 00AEA645
                      • _free.LIBCMT ref: 00AEA67B
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memset$AllocateHeap_free_malloc
                      • String ID:
                      • API String ID: 585861054-0
                      • Opcode ID: 47b4dfbea115372ec85abfc08e4d9466c180c854dffd84b36cc0a2de499420cd
                      • Instruction ID: 71b187ec38fa7641a6dd4ef07d3ae9125991557a222ce61909fffe5fd2982f6c
                      • Opcode Fuzzy Hash: 47b4dfbea115372ec85abfc08e4d9466c180c854dffd84b36cc0a2de499420cd
                      • Instruction Fuzzy Hash: 8F214575900208AFCB15EFAADD81DAFBBFCEF99354B144029F904D7251DB30A902CB55
                      Function 00ABECA3 Relevance: 6.1, APIs: 4, Instructions: 74stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABECAD
                        • Part of subcall function 00AB6B22: __EH_prolog3_GS.LIBCMT ref: 00AB6B29
                      • lstrcpyA.KERNEL32(?,00000000), ref: 00ABED1A
                        • Part of subcall function 00AB64D4: __EH_prolog3_GS.LIBCMT ref: 00AB64DE
                        • Part of subcall function 00AB64A1: __EH_prolog3.LIBCMT ref: 00AB64A8
                      • lstrcpyA.KERNEL32(?,00000000,?,?), ref: 00ABED4F
                        • Part of subcall function 00B14790: wsprintfA.USER32 ref: 00B1481A
                        • Part of subcall function 00B14790: GetLastError.KERNEL32 ref: 00B14872
                        • Part of subcall function 00B14790: SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00B148C0
                        • Part of subcall function 00B14790: lstrcpyA.KERNEL32(000000D0,?), ref: 00B14909
                      • lstrcpyA.KERNEL32(?,00000000,?,00000000,00000174,00ABEEE6,?,?,00000001), ref: 00ABECFD
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLastlstrcpy$H_prolog3_$FreeString$H_prolog3wsprintf
                      • String ID:
                      • API String ID: 1833800002-0
                      • Opcode ID: 5016250711d145050489925fc00dc7b87117e5fe637de04c2a7dcb659b0a42f5
                      • Instruction ID: 4e4955bac39af8adcaae4b15c173579527ca6df384dd80012c43378b2e4c98e4
                      • Opcode Fuzzy Hash: 5016250711d145050489925fc00dc7b87117e5fe637de04c2a7dcb659b0a42f5
                      • Instruction Fuzzy Hash: 75218D71D0116CEECB01EBA4C9419EEB7F8BF48340F1441AAE115AB192EF349F45DB50
                      Function 00AE07C0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE07CA
                      • __CxxThrowException@8.LIBCMT ref: 00AE0820
                      • SetFilePointer.KERNEL32(?,?,00000000,?,00000088,00AE05E3,00000000,00000000,00000000,00000000,00000000,0000000C,00AE06A5), ref: 00AE082C
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AE0870
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00ADA8FD: __EH_prolog3.LIBCMT ref: 00ADA904
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3$ErrorException@8FileH_prolog3_LastPointerThrow
                      • String ID:
                      • API String ID: 4022812620-0
                      • Opcode ID: 0aaa821f8be61bf2171ec343ffa7798785918bb41623bf5daf9ab2253b74c145
                      • Instruction ID: 2eb1e1303616ea4cc4b5810066123d13ff956ad8468edec4df0851ff8eb860c0
                      • Opcode Fuzzy Hash: 0aaa821f8be61bf2171ec343ffa7798785918bb41623bf5daf9ab2253b74c145
                      • Instruction Fuzzy Hash: 32214C72900218EFDB10EBA0CD95FDEB378BF28310F104266F616A7191DBB09E85CB91
                      Function 00AA2406 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00B45168,00B45166,?,?,?,6D9FB08F,?,?,00B30B98,000000FF), ref: 00AA248B
                      • SysFreeString.OLEAUT32(?), ref: 00AA24A7
                      • SysFreeString.OLEAUT32(?), ref: 00AA24B2
                      • SetLastError.KERNEL32(?), ref: 00AA24D2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString
                      • String ID:
                      • API String ID: 3822639702-0
                      • Opcode ID: a3c7e8ccedb87a517df28c20d9eabf2421424aadf00c84423512d14b9924757f
                      • Instruction ID: 28f576edf88f278e24211c4e1ffb8b02a86490c4670e1b6ae7904d96910abe38
                      • Opcode Fuzzy Hash: a3c7e8ccedb87a517df28c20d9eabf2421424aadf00c84423512d14b9924757f
                      • Instruction Fuzzy Hash: A8211531A10648AFCB14DF28DC04B9A7BE4FB09318F108669FC19D76A0EB35E910CB44
                      Function 00ABDEC5 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ABDECF
                      • IsWindow.USER32(?), ref: 00ABDEEB
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                      • SendMessageW.USER32(?,00001074,?,?), ref: 00ABDF98
                      • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00ABDFA3
                        • Part of subcall function 00AB675F: __EH_prolog3_GS.LIBCMT ref: 00AB6769
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3_MessageSendString$Window
                      • String ID:
                      • API String ID: 2791905285-0
                      • Opcode ID: 4187ef917cc672cf78ea4139365ed83412fe8d512dd4079fa4b4ced8ba50351e
                      • Instruction ID: 32a71df7211cb598e7a5b538286f269aad749e25001091e49a015c1f5bdfd6c1
                      • Opcode Fuzzy Hash: 4187ef917cc672cf78ea4139365ed83412fe8d512dd4079fa4b4ced8ba50351e
                      • Instruction Fuzzy Hash: EC219175D04219EFDF20DFA0C981AEEBBB8FF55310F200159E856A3292DB709A45CB60
                      Function 00AA2410 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00B45168,00B45166,?,?,?,6D9FB08F,?,?,00B30B98,000000FF), ref: 00AA248B
                      • SysFreeString.OLEAUT32(?), ref: 00AA24A7
                      • SysFreeString.OLEAUT32(?), ref: 00AA24B2
                      • SetLastError.KERNEL32(?), ref: 00AA24D2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString
                      • String ID:
                      • API String ID: 3822639702-0
                      • Opcode ID: bf930ebc04a8663e424482ca430e2b5b009473de1ed66f9ed4cecbc0cc172981
                      • Instruction ID: ea245365d6724a6d3109c529a18dd4d4af397b9b48e2b976acaa5bddb6ade447
                      • Opcode Fuzzy Hash: bf930ebc04a8663e424482ca430e2b5b009473de1ed66f9ed4cecbc0cc172981
                      • Instruction Fuzzy Hash: A3212531A00648AFCB14DF28DD14B9ABBE4FF09318F118669FC19D72A0EB35E910CB84
                      Function 00AE08AF Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE08B9
                      • __CxxThrowException@8.LIBCMT ref: 00AE0911
                      • GetFileSize.KERNEL32(?,?,00000088,00AE04FC,00000000,0000000C,00AE06A5,?,?,?,?,?,?,00000000), ref: 00AE091A
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AE0927
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorException@8FileH_prolog3_LastSizeThrow
                      • String ID:
                      • API String ID: 4197087271-0
                      • Opcode ID: 0a9bd8cc63ee95690dbdf404603328c2bc793299c472fee09f3a5af9fa8500cc
                      • Instruction ID: 485c20889150af1b08e2fc57aa0cde74c49c72aae23c15b5144dcbad67bcaef5
                      • Opcode Fuzzy Hash: 0a9bd8cc63ee95690dbdf404603328c2bc793299c472fee09f3a5af9fa8500cc
                      • Instruction Fuzzy Hash: 73114F71900519EFDB10EFA0CD91FEEB3B8BB18310F014266F616A7192DBB09E85CB91
                      Function 00ABCB1A Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABCB70
                      • IsDialogMessageW.USER32(?), ref: 00ABCB84
                      • TranslateMessage.USER32(?), ref: 00ABCB92
                      • DispatchMessageW.USER32(?), ref: 00ABCB9C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Message$DialogDispatchPeekTranslate
                      • String ID:
                      • API String ID: 1266772231-0
                      • Opcode ID: 67151b5956384a18a0236986c440ebfaf7a5e8bde6cfd10394e39875bd743ce7
                      • Instruction ID: b868e54977cd9a110d267ed58f0450596cfc2e078424a4efeca5b0aa06044a2f
                      • Opcode Fuzzy Hash: 67151b5956384a18a0236986c440ebfaf7a5e8bde6cfd10394e39875bd743ce7
                      • Instruction Fuzzy Hash: 411106B1901298AFDF20DFB09CA6DFE7BFCAB04315718846AE481D7252EA25CD499770
                      Function 00B16960 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00B16983
                      • IntersectRect.USER32(?,?,?), ref: 00B16998
                      • GetWindowTextW.USER32(?,?,00000104), ref: 00B169AF
                      • InvalidateRect.USER32(?,?,00000000), ref: 00B169DB
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Rect$Window$IntersectInvalidateText
                      • String ID:
                      • API String ID: 1165118807-0
                      • Opcode ID: d24a7f87c66ad425630a767a5139c017ca292e4b142764bdbabecd2289ba8f00
                      • Instruction ID: 925a7b369722a8ed3dda6557df2e3b27eb353179b277354e5483627860121424
                      • Opcode Fuzzy Hash: d24a7f87c66ad425630a767a5139c017ca292e4b142764bdbabecd2289ba8f00
                      • Instruction Fuzzy Hash: B311617650110DABCB24DBA4EC49AFEB3BCEF49711F50409AE905D7240DB70AE86CB50
                      Function 00ABE5B0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ABB55A: __EH_prolog3_GS.LIBCMT ref: 00ABB561
                        • Part of subcall function 00ABB55A: FindWindowExW.USER32(000000FD,00000000,IsPrqHook,-00000004), ref: 00ABB5A1
                      • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00ABE5D3
                      • SendMessageW.USER32(00000000,00000111,00000002,00000000), ref: 00ABE5E3
                        • Part of subcall function 00ABCBB8: __EH_prolog3_GS.LIBCMT ref: 00ABCBBF
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_MessageSend$FindWindow
                      • String ID:
                      • API String ID: 4040661876-0
                      • Opcode ID: 8c41db86d728f166a0499622e7868a4d1d48fdd4014e20f1f40fac59bd8742f8
                      • Instruction ID: 85a15cfd7cb907315615e6463772ee3b76141a7d3b4544ff92e8cbe1e11e6edf
                      • Opcode Fuzzy Hash: 8c41db86d728f166a0499622e7868a4d1d48fdd4014e20f1f40fac59bd8742f8
                      • Instruction Fuzzy Hash: B901B531244284ABE7219728DD6AFED7BADAB60715F244456F2059B1E3CBB59C448720
                      Function 00AF22B6 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • CharNextW.USER32(?,?,?,00000000,?,00AF234C,?,?,00AF1350,?,?,00AF0E88,?,?,00ADFB48,00B6B748), ref: 00AF22D0
                      • CharNextW.USER32(?,?,?,00000000,?,00AF234C,?,?,00AF1350,?,?,00AF0E88,?,?,00ADFB48,00B6B748), ref: 00AF22F4
                      • CharNextW.USER32(00000000,?,?,00000000,?,00AF234C,?,?,00AF1350,?,?,00AF0E88,?,?,00ADFB48,00B6B748), ref: 00AF22FD
                      • CharNextW.USER32(00000000,?,?,00000000,?,00AF234C,?,?,00AF1350,?,?,00AF0E88,?,?,00ADFB48,00B6B748), ref: 00AF2302
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID:
                      • API String ID: 3213498283-0
                      • Opcode ID: 0540bd80178358899cb833f57f245bacc20ca349c7686dd45f9dff427fa14285
                      • Instruction ID: d16c65b828cffc027a9f85efb0608294065a273b29469adbe73ee2447b585705
                      • Opcode Fuzzy Hash: 0540bd80178358899cb833f57f245bacc20ca349c7686dd45f9dff427fa14285
                      • Instruction Fuzzy Hash: 39F0C262E0065C99DA313BE25C80ABFB2ACEF523557214837F780CB090E2A88DC197E5
                      Function 00B19F40 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNEL32(?,00AF336D,00000002,?,00000000,00000001,?,00B1A2B2,00B3C124,?,00000000,00B19D4A,?,?,00B19D4A,?), ref: 00B19F70
                      • LoadResource.KERNEL32(?,00000000,?,00B1A2B2,00B3C124,?,00000000,00B19D4A,?,?,00B19D4A,?,?,00B3C124,00B170E1), ref: 00B19F83
                      • LockResource.KERNEL32(00000000,?,00B1A2B2,00B3C124,?,00000000,00B19D4A,?,?,00B19D4A,?,?,00B3C124,00B170E1), ref: 00B19F90
                      • FreeResource.KERNEL32(00000000,?,00B3C124,00B170E1), ref: 00B19FA2
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Resource$FindFreeLoadLock
                      • String ID:
                      • API String ID: 1078018258-0
                      • Opcode ID: 4f7a94fee116e8dd06796246cc5d1ea5da3a1dbddf3686cf8caa96e176aeb710
                      • Instruction ID: 3d4af7933e7902f302b5cfd160067a8d93ec8b5d3e1d01a552491f254f88b303
                      • Opcode Fuzzy Hash: 4f7a94fee116e8dd06796246cc5d1ea5da3a1dbddf3686cf8caa96e176aeb710
                      • Instruction Fuzzy Hash: 48016D76100704ABD7209F69EC84ABFB7FCFB88725F50011AF909C7241DB75E8428BA0
                      Function 00AD67E4 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?), ref: 00AD67FF
                      • GetDlgItem.USER32(?), ref: 00AD6811
                        • Part of subcall function 00AD6E92: __EH_prolog3_GS.LIBCMT ref: 00AD6E99
                        • Part of subcall function 00AD6E92: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00AD6F6F
                        • Part of subcall function 00AD6E92: SendMessageW.USER32(?,00001036,00000000,00000020), ref: 00AD6F88
                        • Part of subcall function 00AD6E92: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AD6F96
                      • EnableWindow.USER32(00000000,00000000), ref: 00AD682F
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AD684A
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Item$EnableH_prolog3_Window
                      • String ID:
                      • API String ID: 3504422573-0
                      • Opcode ID: 70d54fdbe24833efd63cf99d9af82986ff21a5073efd0a0c1ca5364b6f3911d6
                      • Instruction ID: 6833d06742e13571df019d9944beeb9a4e5dd7aa4e751d3193b830a3d8233be3
                      • Opcode Fuzzy Hash: 70d54fdbe24833efd63cf99d9af82986ff21a5073efd0a0c1ca5364b6f3911d6
                      • Instruction Fuzzy Hash: 3F01D632640214FFCF215F61DC49EAF7F69FF1A7A0B144426F94697260DA749910EBA0
                      Function 00AF93A7 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AF7A15: __getptd_noexit.LIBCMT ref: 00AF7A16
                      • __lock.LIBCMT ref: 00AF93E4
                      • InterlockedDecrement.KERNEL32(?), ref: 00AF9401
                      • _free.LIBCMT ref: 00AF9414
                      • InterlockedIncrement.KERNEL32(00DDCD08), ref: 00AF942C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                      • String ID:
                      • API String ID: 2704283638-0
                      • Opcode ID: 840090618162fe590076c3396278c454778991cdc2002c42bcb4a0abef6fdc1c
                      • Instruction ID: fcd13a449dc44dd07a0b650661ed4630a93b64adb5e9b21b7126db21c57f1e6b
                      • Opcode Fuzzy Hash: 840090618162fe590076c3396278c454778991cdc2002c42bcb4a0abef6fdc1c
                      • Instruction Fuzzy Hash: ED01D232905A199BDB21BFE49945B7EB360BF01712F19415AFA006B2D1CF78AD81CBD1
                      Function 00AE00A7 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE00B1
                      • InterlockedDecrement.KERNEL32(00000000), ref: 00AE00C1
                      • CloseHandle.KERNEL32(000000FF), ref: 00AE00E9
                      • __CxxThrowException@8.LIBCMT ref: 00AE0122
                        • Part of subcall function 00AE0139: InterlockedDecrement.KERNEL32(00B6DB9C), ref: 00AE015E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: DecrementInterlocked$CloseException@8H_prolog3_HandleThrow
                      • String ID:
                      • API String ID: 104201321-0
                      • Opcode ID: 650a0f93cd8793a439e1021d50c9f92fc7bb815642ba7830f8307a36f4272169
                      • Instruction ID: 9ac5c5766938767ef7a94143bf50e84032d7f38ec6b1b1e48ddcd1ab88bef776
                      • Opcode Fuzzy Hash: 650a0f93cd8793a439e1021d50c9f92fc7bb815642ba7830f8307a36f4272169
                      • Instruction Fuzzy Hash: 1D019231100B04DFCB30ABA6CD45BABB3B4FF14712F50861DF196964E1DBB4A984CB00
                      Function 00AAD0AD Relevance: 6.0, APIs: 4, Instructions: 42windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000002,00000000,00000000), ref: 00AAD0F2
                      • KillTimer.USER32(?,000005DC), ref: 00AAD109
                      • PostQuitMessage.USER32(00000000), ref: 00AAD111
                      • SetTimer.USER32(?,000005DC,000003E8,00000000), ref: 00AAD132
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessagePostTimer$KillQuit
                      • String ID:
                      • API String ID: 143517078-0
                      • Opcode ID: fd1a7fadf95b388436ebd32a36ff3037b993aeab0163f6a940dfb73bd776b721
                      • Instruction ID: da63465e4995429bedc2bfdc18483119e7abdd94aa0b913c755c271472be3e0a
                      • Opcode Fuzzy Hash: fd1a7fadf95b388436ebd32a36ff3037b993aeab0163f6a940dfb73bd776b721
                      • Instruction Fuzzy Hash: E2016230280709AFEB249F50EC4AB693BB0E705707F544022F9469B6E1CFB59D91CF90
                      Function 00ABEBAA Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ABEBCE
                      • GetObjectW.GDI32(00000000,0000005C,?), ref: 00ABEBDB
                        • Part of subcall function 00ABEC18: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00ABEC4C
                        • Part of subcall function 00ABEC18: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 00ABEC67
                      • CreateFontIndirectW.GDI32(?), ref: 00ABEBF2
                      • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00ABEC02
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
                      • String ID:
                      • API String ID: 2681337867-0
                      • Opcode ID: c11ce08c3917bdbf4b120af13a7ad7c04e5a39731efa8c59b19f28e3b19d6e41
                      • Instruction ID: fecf67ea668fe98f6d7116ecdd8c662667c37ed89f5c8ffcb9d85276ad4f883f
                      • Opcode Fuzzy Hash: c11ce08c3917bdbf4b120af13a7ad7c04e5a39731efa8c59b19f28e3b19d6e41
                      • Instruction Fuzzy Hash: A2014F72A40308AFDF24DFA4DC4AF9E7BB9FB19700F500019F605EB191DA70A900CB54
                      Function 00AF0F15 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AF0F34
                      • GetObjectW.GDI32(00000000,0000005C,?), ref: 00AF0F41
                        • Part of subcall function 00AF1438: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00AF146A
                        • Part of subcall function 00AF1438: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 00AF1485
                      • CreateFontIndirectW.GDI32(?), ref: 00AF0F57
                      • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00AF0F65
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
                      • String ID:
                      • API String ID: 2681337867-0
                      • Opcode ID: 331a90ecfb4aefdc1693aa09d6e7f387c2786ab1ac6008cca40433d024c71422
                      • Instruction ID: d17b28ac03c5655765d8c8f3d627cdcad329509ea309cae699b19b3678f3b9f7
                      • Opcode Fuzzy Hash: 331a90ecfb4aefdc1693aa09d6e7f387c2786ab1ac6008cca40433d024c71422
                      • Instruction Fuzzy Hash: 5AF03C72640308BFDB14AFA4DC4AFAEB77DFB18701F600419F602AB1D1DA70A9048B54
                      Function 00AB4E1B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AB4E22
                      • GetLastError.KERNEL32(00000004,00AB536B,?,00000000,00000004,00AB580C,?,00000001), ref: 00AB4E46
                      • SetLastError.KERNEL32(?), ref: 00AB4E77
                      • SetLastError.KERNEL32(00000000), ref: 00AB4E9B
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3
                      • String ID:
                      • API String ID: 3502553090-0
                      • Opcode ID: e19dbca77fc71e18a5b44f5681c904e1e3719987f65b2f66d09d7fdf83972014
                      • Instruction ID: 1799d963fef317f9d413ed86fdd684447428fc77573f23ba069e49204e12814b
                      • Opcode Fuzzy Hash: e19dbca77fc71e18a5b44f5681c904e1e3719987f65b2f66d09d7fdf83972014
                      • Instruction Fuzzy Hash: C611E575900254DFCB14DF54DA85B9ABBE0BF08318F14C5A9E9145F3A7C7B5EA04CB50
                      Function 00AE9FFE Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AEA005
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000010,00AE8431,?,?,?), ref: 00AEA01B
                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00AEA02E
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AEA03C
                        • Part of subcall function 00AA34D0: CloseHandle.KERNELBASE(?,00000000,00B0A2D6,?,0000006C,00B0AE91,00B09960,?,?), ref: 00AA34E3
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: File$Time$CloseCreateH_prolog3HandleLocal
                      • String ID:
                      • API String ID: 1194648477-0
                      • Opcode ID: da5b141c657dd37a8a91de0c9c00759c7182cc511bfd40814a9b780af3fd822b
                      • Instruction ID: 0774555517ecbdb898ea743d5f95662b44ef995e476a293b5e53d15232638eb7
                      • Opcode Fuzzy Hash: da5b141c657dd37a8a91de0c9c00759c7182cc511bfd40814a9b780af3fd822b
                      • Instruction Fuzzy Hash: 9F01F6B5901619ABCB24DFA1DC49EDFBF38EF09350F208115F919A7290DB706A41CBA0
                      Function 00B10CB3 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: FreeString_free
                      • String ID:
                      • API String ID: 2157979973-0
                      • Opcode ID: 3797ffdc7abc4e96fd9dccce8aa5adf83b612ab9d5fcaebab30a8ad7867f26b6
                      • Instruction ID: a9c9984731e6a9947929e4d9c162b6b6909c438b56829f60424dce9c00e35e58
                      • Opcode Fuzzy Hash: 3797ffdc7abc4e96fd9dccce8aa5adf83b612ab9d5fcaebab30a8ad7867f26b6
                      • Instruction Fuzzy Hash: 6CF01D76100532AFC7216F59E685959FBA4FF087917618276F51983521CFB1A8E1CFC0
                      Function 00AF0E43 Relevance: 6.0, APIs: 4, Instructions: 36stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82), ref: 00AF0E4B
                      • lstrcpynW.KERNEL32(?,?,-00000001,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E6F
                      • lstrcpyW.KERNEL32(?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82), ref: 00AF0E7C
                      • lstrcatW.KERNEL32(?,?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E8C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: lstrcatlstrcpylstrcpynlstrlen
                      • String ID:
                      • API String ID: 3428934214-0
                      • Opcode ID: 27edb600c07c4a44c000eecfaf1f0f5035c29f5abd37ab02ec2ca1fd8a9ba9bf
                      • Instruction ID: b523f8a745a353abbf3ae7756bcdce7a34b4f81285d5448f54b44afa86292912
                      • Opcode Fuzzy Hash: 27edb600c07c4a44c000eecfaf1f0f5035c29f5abd37ab02ec2ca1fd8a9ba9bf
                      • Instruction Fuzzy Hash: 93F0DA32411928AB8B216BD4DC05CEF7B7CEF093517508905FA51D7012DB74AA918BE5
                      Function 00B108AE Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B108B5
                      • GetLastError.KERNEL32(00000004,00B10E27,?,00000001), ref: 00B108D9
                      • SetLastError.KERNEL32(?), ref: 00B10906
                      • SetLastError.KERNEL32(00000000), ref: 00B10926
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3
                      • String ID:
                      • API String ID: 3502553090-0
                      • Opcode ID: 50836f54d14521c2a595e039b073da3831157b512f1c8dcf77d79f41ce5a7963
                      • Instruction ID: bf3dcd11dc09944d7b43588211849a308c6c745469c993102b082859d71d52f8
                      • Opcode Fuzzy Hash: 50836f54d14521c2a595e039b073da3831157b512f1c8dcf77d79f41ce5a7963
                      • Instruction Fuzzy Hash: E001D375900214DFCB14DF54DA85A9ABBE0FB08318F15C5A9A8089F357CBB4E954CFA0
                      Function 00ABEB46 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32 ref: 00ABEB4F
                      • GetDlgItem.USER32(0000012D), ref: 00ABEB68
                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00ABEB78
                      • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00ABEB95
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$ItemWindow
                      • String ID:
                      • API String ID: 591194657-0
                      • Opcode ID: 5edf8a792826a4a7d2f2d6615022e2e571ed41f4e4ec3985622f806431e85482
                      • Instruction ID: 0371da2d2427f582f4ddedc92559add8759b7ef32aeb5a27850bcf1f40bb8ec5
                      • Opcode Fuzzy Hash: 5edf8a792826a4a7d2f2d6615022e2e571ed41f4e4ec3985622f806431e85482
                      • Instruction Fuzzy Hash: F1F0BE31240160BBCA201B71AC0AFEE3FADEB45BA2B158012F609E70A1CEA46C0097B0
                      Function 00AF23EE Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AF23F5
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00B070E3: __EH_prolog3_GS.LIBCMT ref: 00B070ED
                      • SetErrorMode.KERNEL32(00008001), ref: 00AF242E
                      • RemoveDirectoryW.KERNEL32(0000000A), ref: 00AF2437
                      • SetErrorMode.KERNEL32(00000000), ref: 00AF2444
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3Mode$DirectoryH_prolog3_Remove
                      • String ID:
                      • API String ID: 359717666-0
                      • Opcode ID: 6002b9fedb63d67bab0c8f26b107307c741cdbde30aff6467edb539e65c8bc02
                      • Instruction ID: 6d6b4d27c1f4244db499c1fd1ae1d65deff3860ce0bc227b27a8cc85f29f1180
                      • Opcode Fuzzy Hash: 6002b9fedb63d67bab0c8f26b107307c741cdbde30aff6467edb539e65c8bc02
                      • Instruction Fuzzy Hash: 8BF0E9B2A00204ABEB10AFB48D4677E7BB5BF44301F108115FA26571E1DF318A459B51
                      Function 00AA1580 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                      • SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                      • SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                      • SetLastError.KERNEL32(?), ref: 00AA15D4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeLastString
                      • String ID:
                      • API String ID: 3822639702-0
                      • Opcode ID: 3d5f9548224ebdb4431fe3c97a9aad01a42a9232aba776e0de461077b90e5beb
                      • Instruction ID: 1fdbd09a9e22f98c2bff3e021a8c3b5295079d7861b12d251cdb025c87d39a6a
                      • Opcode Fuzzy Hash: 3d5f9548224ebdb4431fe3c97a9aad01a42a9232aba776e0de461077b90e5beb
                      • Instruction Fuzzy Hash: B0F0FF75400A12EFCB109F29E948A44BBB1FF58328B258229E40897A21DB71F9A4CBC4
                      Function 00B1A210 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 00B1A219
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B1A22A
                      • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00B1A231
                      • ReleaseDC.USER32(?,00000000), ref: 00B1A239
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: 1d4d35f21de3380c886f966c319fea7ff6cec3dadc72c48a58835fb8f7a4f2f8
                      • Instruction ID: cefdc0df7c2a19da18f42d97d238d922aad7af1bd280f21afec0771d837d3b12
                      • Opcode Fuzzy Hash: 1d4d35f21de3380c886f966c319fea7ff6cec3dadc72c48a58835fb8f7a4f2f8
                      • Instruction Fuzzy Hash: 08E04F3290022C7BEB202B7AAC89D5F7F5DEB442B4B120422FC4DAB260D9659C8189E0
                      Function 00AF1151 Relevance: 6.0, APIs: 4, Instructions: 27fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00008001,00000000,?,00AF249C,0000000A), ref: 00AF115A
                      • CreateFileW.KERNEL32(00AF249C,80000000,00000000,00000000,00000003,00000080,00000000,?,00AF249C,0000000A), ref: 00AF1174
                      • SetErrorMode.KERNEL32(00000000,?,00AF249C,0000000A), ref: 00AF1180
                      • CloseHandle.KERNEL32(00000000,?,00AF249C,0000000A), ref: 00AF118C
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorMode$CloseCreateFileHandle
                      • String ID:
                      • API String ID: 1343785229-0
                      • Opcode ID: 13d95258f124b5fd2eaba7acd1ab7af0b8e5b93536d15b948eb133b992ad83e9
                      • Instruction ID: 08f5721492c1d7e1454a9c859c568d186174f5551fadc754a1bedf645be348a2
                      • Opcode Fuzzy Hash: 13d95258f124b5fd2eaba7acd1ab7af0b8e5b93536d15b948eb133b992ad83e9
                      • Instruction Fuzzy Hash: CAE04F71140544BBD3301772AC0DF2F3EBDEBCAB25FA04628F325E50A0DE605015D564
                      Function 00B08170 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNEL32(00000000), ref: 00B08460
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      • __EH_prolog3_GS.LIBCMT ref: 00B0817A
                        • Part of subcall function 00AAC346: __EH_prolog3.LIBCMT ref: 00AAC34D
                        • Part of subcall function 00AAC346: GetLastError.KERNEL32(00000004,00ADA9A1,?,00000000,00000004,00AAEE6B,?,00000001), ref: 00AAC36F
                        • Part of subcall function 00AAC346: SetLastError.KERNEL32(?,00000000), ref: 00AAC3AF
                        • Part of subcall function 00B070E3: __EH_prolog3_GS.LIBCMT ref: 00B070ED
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00B07D6A: __EH_prolog3_GS.LIBCMT ref: 00B07D74
                        • Part of subcall function 00B07D6A: GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00B071E3), ref: 00B07D90
                        • Part of subcall function 00B07D6A: GetProcAddress.KERNEL32(00000000), ref: 00B07D93
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString$AddressCloseFindH_prolog3HandleModuleProc
                      • String ID: *.*
                      • API String ID: 2006274578-438819550
                      • Opcode ID: 349a411f85b21145ee23a72920f9c5ced4ee56cd39966a4ef5a649db0079ee05
                      • Instruction ID: 51239e5881767b9bd648583d2bc8e4d666e97bc8c301261f9314f4e9f325ebd2
                      • Opcode Fuzzy Hash: 349a411f85b21145ee23a72920f9c5ced4ee56cd39966a4ef5a649db0079ee05
                      • Instruction Fuzzy Hash: A9D16971800258AEDF21DFA4CD85BEEBBF8AF16304F5040D9E4496B282DB715B85CFA1
                      Function 00AC16F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC16FA
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                        • Part of subcall function 00AC2E13: __EH_prolog3_GS.LIBCMT ref: 00AC2E1A
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00B0AA9D: __EH_prolog3_GS.LIBCMT ref: 00B0AAA4
                        • Part of subcall function 00B0AA9D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000008,00000000,?,0000005C,00AC17E1,?,-80000001,?,?), ref: 00B0AB19
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AB08A9: __EH_prolog3.LIBCMT ref: 00AB08B0
                        • Part of subcall function 00AB09F6: __EH_prolog3.LIBCMT ref: 00AB09FD
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                        • Part of subcall function 00AB1233: __EH_prolog3_GS.LIBCMT ref: 00AB123D
                        • Part of subcall function 00AB1233: SysStringLen.OLEAUT32(?), ref: 00AB1363
                        • Part of subcall function 00AB1233: SysFreeString.OLEAUT32(?), ref: 00AB1372
                      Strings
                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00AC1794
                      • UninstallString, xrefs: 00AC177D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$H_prolog3_$ErrorH_prolog3Last$Free$AllocQueryValue
                      • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString
                      • API String ID: 1981213432-2644134543
                      • Opcode ID: 397e7e84db60a111648816a416464b417344b3e0d53b92ccd7bd379bc9c90c51
                      • Instruction ID: 88e113a08a59f60af43fd1c4dc8643df8e2a86c2d8152d5b3650bb954de280ac
                      • Opcode Fuzzy Hash: 397e7e84db60a111648816a416464b417344b3e0d53b92ccd7bd379bc9c90c51
                      • Instruction Fuzzy Hash: E881B071D04258EEEB24D7A4CD51BEDBBB8AF15300F1440E9E149A7182DBB45F88DB61
                      Function 00AC19D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC19DB
                        • Part of subcall function 00AC119E: RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 00AC11B8
                        • Part of subcall function 00AC119E: RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,00B669A8,?), ref: 00AC11DE
                        • Part of subcall function 00AC119E: RegCloseKey.ADVAPI32(?), ref: 00AC11F9
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                        • Part of subcall function 00ADA406: __EH_prolog3_GS.LIBCMT ref: 00ADA410
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AAF37B: __EH_prolog3.LIBCMT ref: 00AAF382
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                        • Part of subcall function 00AF0E43: lstrlenW.KERNEL32(?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82), ref: 00AF0E4B
                        • Part of subcall function 00AF0E43: lstrcpynW.KERNEL32(?,?,-00000001,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E6F
                        • Part of subcall function 00AF0E43: lstrcatW.KERNEL32(?,?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E8C
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                        • Part of subcall function 00AC2F8F: __EH_prolog3_GS.LIBCMT ref: 00AC2F99
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorH_prolog3_Last$String$AllocCloseH_prolog3OpenQueryValue_malloclstrcatlstrcpynlstrlen
                      • String ID: /f1$Setup.iss
                      • API String ID: 1327292445-1350328100
                      • Opcode ID: e980f28527aaf3bfb6c2ac98c8fea9d1290533792c169c16d0fee4f2c19dae0c
                      • Instruction ID: b2912c8b6930374eaa9978604496a2c21965df57e3deffb1ad81fa18731fa88c
                      • Opcode Fuzzy Hash: e980f28527aaf3bfb6c2ac98c8fea9d1290533792c169c16d0fee4f2c19dae0c
                      • Instruction Fuzzy Hash: 07819170A05348EEDB10EBA4CA55FDDBBB4AF16304F0040D9E00A67692DB749F84DF92
                      Function 00AE1CC6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE1CD0
                        • Part of subcall function 00AE1F5D: __EH_prolog3_GS.LIBCMT ref: 00AE1F64
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$H_prolog3
                      • String ID: %20$file://
                      • API String ID: 3952504126-2765206336
                      • Opcode ID: 5258f1c0ec09c1733bff88ecc2f40cda1a59ab329e28a28c63c622013f7b8eaf
                      • Instruction ID: 58da46ba1a71c86c38e11a17bcecb03fe1040a1619e8dd4859970c59be8688b9
                      • Opcode Fuzzy Hash: 5258f1c0ec09c1733bff88ecc2f40cda1a59ab329e28a28c63c622013f7b8eaf
                      • Instruction Fuzzy Hash: D7615B71A10268EFDF24EB94CD95BEEB3B8AF55300F1040A9F045A7192EB705F49DB62
                      Function 00B0861A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00B08621
                      • CompareFileTime.KERNEL32(?,00000000,?,?,PSTORES.EXE,00000000,00000000,?,?,0000006C,00B0AE91,00B09960,?,?), ref: 00B08779
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: CompareFileH_prolog3Time
                      • String ID: PSTORES.EXE
                      • API String ID: 2703394530-1209905799
                      • Opcode ID: d94b134841f1252467692a5043566c2a02cbd758c604424a1a5c50e49a70fe0f
                      • Instruction ID: 6504a9afa9fa4e0a674c3d0dbe38ee8a9c38f63463850f110ff2899a6f08d42c
                      • Opcode Fuzzy Hash: d94b134841f1252467692a5043566c2a02cbd758c604424a1a5c50e49a70fe0f
                      • Instruction Fuzzy Hash: 9751EC72800219AEDF11DFD4D9819EEBFB8FF18310F24059AE581B7195DB30AA45DB61
                      Function 00AD47D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AD47E0
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AD5076: __EH_prolog3.LIBCMT ref: 00AD507D
                        • Part of subcall function 00ADE6DD: __EH_prolog3_catch_GS.LIBCMT ref: 00ADE6E7
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AB0684: __EH_prolog3_GS.LIBCMT ref: 00AB068B
                        • Part of subcall function 00ADD185: __EH_prolog3_GS.LIBCMT ref: 00ADD18C
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3H_prolog3_catch_
                      • String ID: ProductCode$UpgradeCode
                      • API String ID: 3764184794-492229846
                      • Opcode ID: 917e95828b6c4d56ef0c9e1bbfc639105dd77d8b53cef5bc671f072cf8d0e35b
                      • Instruction ID: 1c072dca2ff64bdd071f21fa2563dd0cd5d0b166bb94c38b12c2740ae76469ac
                      • Opcode Fuzzy Hash: 917e95828b6c4d56ef0c9e1bbfc639105dd77d8b53cef5bc671f072cf8d0e35b
                      • Instruction Fuzzy Hash: 3C519271900259EFDF14DBA4CD91BEEB7B9BF15300F144099E145AB2C2DB70AB48CB92
                      Function 00AA5010 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: invalid string position$string too long
                      • API String ID: 4104443479-4289949731
                      • Opcode ID: 86e61fbe62cac8074c69a8812d5088cafe1a709c29137a23044e289b81706999
                      • Instruction ID: a50dd28a86f675397262357ad81862a8285559cb17b7a3cdfc3daffcef8b9dc3
                      • Opcode Fuzzy Hash: 86e61fbe62cac8074c69a8812d5088cafe1a709c29137a23044e289b81706999
                      • Instruction Fuzzy Hash: BF31C432700B108BD7319E6DE840B6AF7E5EB92761F100A2FE54187292D7B29840C7E9
                      Function 00AA6150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: invalid string position$string too long
                      • API String ID: 4104443479-4289949731
                      • Opcode ID: 56a6e450492917cb7f93c115d08bcda5985429ff882c1383fd68a55c22be6226
                      • Instruction ID: 53dc22bd1f4f5d4c2e8cfc6fc0bdd039d945bde35ba5312df89f673088535b4c
                      • Opcode Fuzzy Hash: 56a6e450492917cb7f93c115d08bcda5985429ff882c1383fd68a55c22be6226
                      • Instruction Fuzzy Hash: B931DE323047049B8B349F5DE88096BFBEAFFD2B513140A2FE451C7291EB71E9548BA5
                      Function 00ACCEA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACCEAF
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00ACBCE5: __EH_prolog3_GS.LIBCMT ref: 00ACBCEF
                        • Part of subcall function 00ACBCE5: VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00ACBD39
                        • Part of subcall function 00ACBCE5: VariantClear.OLEAUT32(?), ref: 00ACBF08
                      • _memset.LIBCMT ref: 00ACCF7D
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AA3860: GetLastError.KERNEL32(6D9FB08F,?,?,?,?,00B308D8,000000FF), ref: 00AA38A2
                        • Part of subcall function 00AA3860: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,00B308D8,000000FF), ref: 00AA38FE
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeH_prolog3_StringVariant$ChangeClearType_memset
                      • String ID: Version
                      • API String ID: 751381712-1889659487
                      • Opcode ID: 16da4f846fc0bf1066297d161772bf82ea45c44277acf9c67d15f1e1e28a7d2f
                      • Instruction ID: 95e97c78dcd23163049220c7eba336de5d9e53b165f429c4f768ce7174716a0f
                      • Opcode Fuzzy Hash: 16da4f846fc0bf1066297d161772bf82ea45c44277acf9c67d15f1e1e28a7d2f
                      • Instruction Fuzzy Hash: AB517871901258AEDF60DBA4CD89BEEB7B8AF15300F1001E9E10DA7291EB705F89CF91
                      Function 00AA6350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AA6510: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00AA6559
                        • Part of subcall function 00AA6510: _memmove.LIBCMT ref: 00AA6581
                        • Part of subcall function 00AA6510: SysFreeString.OLEAUT32(00000000), ref: 00AA6591
                      • _memmove.LIBCMT ref: 00AA6405
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String_memmove$AllocFree
                      • String ID: invalid string position$string too long
                      • API String ID: 105348488-4289949731
                      • Opcode ID: 349d594a2c05d28e8a71365388abf9da76bc79c4d908ad86bc49457c9d67d32a
                      • Instruction ID: 379da7c1fbdc2ecaadd852ed6e4603c8e133e6a0ede64c4a12436425443428a7
                      • Opcode Fuzzy Hash: 349d594a2c05d28e8a71365388abf9da76bc79c4d908ad86bc49457c9d67d32a
                      • Instruction Fuzzy Hash: 3131E7323047148B8B24DFACE98082AB3E9EFD6710324092FF011CB291DB71E905CBA4
                      Function 00AC80B5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC80BF
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00ACCB92: __EH_prolog3.LIBCMT ref: 00ACCB99
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorFreeH_prolog3H_prolog3_LastString
                      • String ID: Extracting resource: %s$msiaction.cpp
                      • API String ID: 262529356-4212155731
                      • Opcode ID: ba4d3f1cbd7cf602ccbb819d9fcf6f1d682f145841ec30d9fb20a121de9976ca
                      • Instruction ID: dcb05163470a3903414a6b18be5c5cf4bc7ea5bded631e95398b4870feb8e8bc
                      • Opcode Fuzzy Hash: ba4d3f1cbd7cf602ccbb819d9fcf6f1d682f145841ec30d9fb20a121de9976ca
                      • Instruction Fuzzy Hash: E3414C30D01258EEDB14DBA4CE55BEDB7B4BF11300F1481ADE04AA7192DB745A49DB61
                      Function 00AB6A09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB6A13
                      • DialogBoxIndirectParamW.USER32(?,00000000,?,?,?), ref: 00AB6B01
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: DialogH_prolog3_IndirectParam
                      • String ID: Tahoma
                      • API String ID: 1500191164-3580928618
                      • Opcode ID: 8d5d21f3275f8f68c44d8b71385fa205e517e4046c62eecec36f58e37e34e3f8
                      • Instruction ID: ab526c34408e52b52be93a7d8ed16cae070173adf52a38c51b301d3a90dfcd52
                      • Opcode Fuzzy Hash: 8d5d21f3275f8f68c44d8b71385fa205e517e4046c62eecec36f58e37e34e3f8
                      • Instruction Fuzzy Hash: F4317E31800119EBDF10DFA4C945BEDBBB8BF18354F148099F981A7293EB75AE15DBA0
                      Function 00AA5C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00AA5CAC
                      • SysFreeString.OLEAUT32 ref: 00AA5CB8
                        • Part of subcall function 00AA6510: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00AA6559
                        • Part of subcall function 00AA6510: _memmove.LIBCMT ref: 00AA6581
                        • Part of subcall function 00AA6510: SysFreeString.OLEAUT32(00000000), ref: 00AA6591
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: String$Free_memmove$Alloc
                      • String ID: string too long
                      • API String ID: 2303858246-2556327735
                      • Opcode ID: 9c6702c381df2f835df5e4f601524811c027fb4911ff3b084466f9374f690d69
                      • Instruction ID: d3b03130460e3ea1214e3ac04e8a8e48a0157f0deef42680d3d3375c5b6fd634
                      • Opcode Fuzzy Hash: 9c6702c381df2f835df5e4f601524811c027fb4911ff3b084466f9374f690d69
                      • Instruction Fuzzy Hash: 50110332600B045BD730DFB9E88096AB3E9FF963307104E2EE486C7194D731E5088B58
                      Function 00ACACF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00ACAD01
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00AF0E43: lstrlenW.KERNEL32(?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8,00AC0F82), ref: 00AF0E4B
                        • Part of subcall function 00AF0E43: lstrcpynW.KERNEL32(?,?,-00000001,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E6F
                        • Part of subcall function 00AF0E43: lstrcatW.KERNEL32(?,?,?,?,00ADFB48,00B6B748,?,00B6BFCC,?,?,00AB0EBB,00000000,00000001,0000044F,00000000,000008A8), ref: 00AF0E8C
                      Strings
                      • C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}, xrefs: 00ACADE3
                      • CertKey, xrefs: 00ACAD40
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$FreeString$H_prolog3_lstrcatlstrcpynlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}$CertKey
                      • API String ID: 1792746009-1451713695
                      • Opcode ID: 2a240311f5f8e03b7a27e5603bc206f499ab09d0a00e9c02a577ac411c9edd4d
                      • Instruction ID: f6bf9ea7d84db4c54cfcec4d481df941800d4bf59a2dca83d539c430ae8914ce
                      • Opcode Fuzzy Hash: 2a240311f5f8e03b7a27e5603bc206f499ab09d0a00e9c02a577ac411c9edd4d
                      • Instruction Fuzzy Hash: F9312771910219EEDB14DBA4CD91FEEB7B4FF15300F5481AAF116B7091EB70AA88CB61
                      Function 00AE062B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00AE0632
                        • Part of subcall function 00AE00A7: __EH_prolog3_GS.LIBCMT ref: 00AE00B1
                        • Part of subcall function 00AE00A7: InterlockedDecrement.KERNEL32(00000000), ref: 00AE00C1
                        • Part of subcall function 00AE00A7: CloseHandle.KERNEL32(000000FF), ref: 00AE00E9
                        • Part of subcall function 00AE00A7: __CxxThrowException@8.LIBCMT ref: 00AE0122
                        • Part of subcall function 00AF4CB1: _malloc.LIBCMT ref: 00AF4CC9
                        • Part of subcall function 00AF4CB1: std::exception::exception.LIBCMT ref: 00AF4CE5
                        • Part of subcall function 00AF4CB1: __CxxThrowException@8.LIBCMT ref: 00AF4CFA
                      • GetLastError.KERNEL32(000000FF,00000000,80400100,?,00000000,00AECC42,00B3C124,80000000,00000001,00000080,00000003,00000000,00000000,?,00000000,00000084), ref: 00AE070D
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: Exception@8Throw$CloseDecrementErrorH_prolog3H_prolog3_HandleInterlockedLast_mallocstd::exception::exception
                      • String ID: toys::file
                      • API String ID: 2011250969-314977804
                      • Opcode ID: a45f14b8c15b2987c499270b2f27a2e48257abd095567d9f3e24435f6a170314
                      • Instruction ID: 0cb9fa28463978a8f97a49ca679c1d972f02bf166835f15f8e448c14c9b46e2e
                      • Opcode Fuzzy Hash: a45f14b8c15b2987c499270b2f27a2e48257abd095567d9f3e24435f6a170314
                      • Instruction Fuzzy Hash: 32212170200345AFCF14BFA28A41F7E37A5AF88344F00412CF55AAB2D1CBB1DCA19B20
                      Function 00AB8878 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AB8882
                        • Part of subcall function 00AA2580: GetLastError.KERNEL32 ref: 00AA259F
                        • Part of subcall function 00AA2580: SetLastError.KERNEL32(?), ref: 00AA25CF
                        • Part of subcall function 00AAF37B: __EH_prolog3.LIBCMT ref: 00AAF382
                        • Part of subcall function 00AAF320: SysStringLen.OLEAUT32(?), ref: 00AAF32D
                        • Part of subcall function 00AAF320: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00AAF347
                      • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 00AB88EC
                        • Part of subcall function 00AAC8E0: __EH_prolog3_GS.LIBCMT ref: 00AAC8E7
                        • Part of subcall function 00AAC8E0: GetLastError.KERNEL32(00000038,00AB6EF1), ref: 00AAC8EE
                        • Part of subcall function 00AAC8E0: SetLastError.KERNEL32(00000000), ref: 00AAC944
                        • Part of subcall function 00AAC6A3: __EH_prolog3.LIBCMT ref: 00AAC6AA
                        • Part of subcall function 00AAF565: __EH_prolog3_GS.LIBCMT ref: 00AAF56F
                        • Part of subcall function 00AB5F47: __EH_prolog3_GS.LIBCMT ref: 00AB5F4E
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                        • Part of subcall function 00ADA973: __EH_prolog3.LIBCMT ref: 00ADA97A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_String$H_prolog3$Free$AllocFileModuleName
                      • String ID: ISSetup.dll
                      • API String ID: 4249000290-2131771917
                      • Opcode ID: e4cf4d52681ef4adc65c7d758403e1279c263328f88e0be53979f32a98eeeb95
                      • Instruction ID: f6c3cb8aa90a2ce3fc3c976277c3a3f85ac8a12426c97630578b043975415072
                      • Opcode Fuzzy Hash: e4cf4d52681ef4adc65c7d758403e1279c263328f88e0be53979f32a98eeeb95
                      • Instruction Fuzzy Hash: AD317871801158EECB11EBA4CD55BEEBBB8AF56300F1080E9E10AB7192DB745B49DBA1
                      Function 00AE5376 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE5380
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AC51D4: __EH_prolog3_GS.LIBCMT ref: 00AC51DB
                        • Part of subcall function 00AC51D4: __ltow_s.LIBCMT ref: 00AC5213
                        • Part of subcall function 00AC51D4: SetLastError.KERNEL32(00000008,00000000,00000000,?,?,?,00000000,?,?,00000001), ref: 00AC5242
                        • Part of subcall function 00ABA734: __EH_prolog3_GS.LIBCMT ref: 00ABA73B
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString$__ltow_s
                      • String ID: ISSetupPrerequisites$PreReqFeatures
                      • API String ID: 3540359163-2505955310
                      • Opcode ID: ae9b143f53e613bbb354ae87b6531224ccdd69ebcf0b9145354385ea9ebbc57d
                      • Instruction ID: 10fce7a53e11e7ae4a01d1998186b37f3090e1dd4f73cf5fc19cfcc0afe9455b
                      • Opcode Fuzzy Hash: ae9b143f53e613bbb354ae87b6531224ccdd69ebcf0b9145354385ea9ebbc57d
                      • Instruction Fuzzy Hash: 41216A71911258EEDB10EBA4CD56BEEB7B8BF11300F144099E006B7182DBB45F48DB61
                      Function 00AE5457 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AE5461
                        • Part of subcall function 00AA25E0: GetLastError.KERNEL32(6D9FB08F,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA2630
                        • Part of subcall function 00AA25E0: SetLastError.KERNEL32(?,00B45168,00000000,?,00000000,74DEDFA0,?,?,00B30988,000000FF,?,00AA1902,InstallShield.log,?,00000001), ref: 00AA26A8
                        • Part of subcall function 00AC51D4: __EH_prolog3_GS.LIBCMT ref: 00AC51DB
                        • Part of subcall function 00AC51D4: __ltow_s.LIBCMT ref: 00AC5213
                        • Part of subcall function 00AC51D4: SetLastError.KERNEL32(00000008,00000000,00000000,?,?,?,00000000,?,?,00000001), ref: 00AC5242
                        • Part of subcall function 00ABA734: __EH_prolog3_GS.LIBCMT ref: 00ABA73B
                        • Part of subcall function 00AA1580: GetLastError.KERNEL32(00000000,00B45168,00AA60B5), ref: 00AA158F
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(00AF336D), ref: 00AA15AB
                        • Part of subcall function 00AA1580: SysFreeString.OLEAUT32(0000002C), ref: 00AA15B6
                        • Part of subcall function 00AA1580: SetLastError.KERNEL32(?), ref: 00AA15D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$H_prolog3_$FreeString$__ltow_s
                      • String ID: ISSetupPrerequisites$PreReq
                      • API String ID: 3540359163-3399441029
                      • Opcode ID: c8b071c912d6cba126e9a3fd0d4963c0f64172ee47e5da3ae7ce7443986966e0
                      • Instruction ID: 283a8e66d66194887e9cd4a477c96eccbd8b86a4a00f6bf455e80e18ca5619a8
                      • Opcode Fuzzy Hash: c8b071c912d6cba126e9a3fd0d4963c0f64172ee47e5da3ae7ce7443986966e0
                      • Instruction Fuzzy Hash: 25216A71911258EEDB10EBA0CD55BEEB7B8BF11300F144099E00AB7182DBB45F48DB61
                      Function 00AC0F4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 00AC0F57
                        • Part of subcall function 00AB091B: __EH_prolog3.LIBCMT ref: 00AB0922
                        • Part of subcall function 00AB0E46: __EH_prolog3_GS.LIBCMT ref: 00AB0E50
                      • lstrcpyW.KERNEL32(?,00000000,00000452,?,00000218,00AC12C5,?,0000043C,00AAB930,?), ref: 00AC0FB3
                      Strings
                      • C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}, xrefs: 00AC0F9D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3_$H_prolog3lstrcpy
                      • String ID: C:\Users\user\AppData\Local\Temp\{5ADF322E-F483-4666-AC2C-04CC4A5CEF10}
                      • API String ID: 3469851533-4156213419
                      • Opcode ID: 9ecd2898696621c01f81ff5269dea4bf099835c9c970255e0776543994cc89cb
                      • Instruction ID: bb5630edd0b3f543508beee389081ccdd22dd312b8db7d44ae702509e70ed7d3
                      • Opcode Fuzzy Hash: 9ecd2898696621c01f81ff5269dea4bf099835c9c970255e0776543994cc89cb
                      • Instruction Fuzzy Hash: 4E115231600518DBCB20FBA4CE56DEE73B9AF54700F4002A9F516971A2DF749E818B90
                      Function 00ADE5F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00ADE61D
                        • Part of subcall function 00AAD24B: __EH_prolog3_GS.LIBCMT ref: 00AAD252
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: H_prolog3__memset
                      • String ID: PackageName$Startup
                      • API String ID: 3055368530-2142348390
                      • Opcode ID: 8b857ef611e7cb6b2d9898defac3c147c6f2266ef01d861a5ff4daf4166ebb11
                      • Instruction ID: 61efd4cdb7a62b26a9e6499353b93c7e8d5a8fe3fb3dd5bd9ffb47b099eb5a11
                      • Opcode Fuzzy Hash: 8b857ef611e7cb6b2d9898defac3c147c6f2266ef01d861a5ff4daf4166ebb11
                      • Instruction Fuzzy Hash: A0F054B1A8061CBBDB60EB649D07FAA73E8BB04704F4454A5E645E71D1EEB0AF488784
                      Function 00AB8D4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00AB8D64
                      • GetLastError.KERNEL32 ref: 00AB8D6E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: AddressErrorLastProc
                      • String ID: RunISMSISetup
                      • API String ID: 199729137-1536503584
                      • Opcode ID: e4a28cfe368c35d3f6cfe1331c0f84c4833605b991313c2d9fce0962746ceb8a
                      • Instruction ID: bed2d5ff46ff5c0aae242f5fb053662dfc6d1b6073c00966efa1a8b2047e1df2
                      • Opcode Fuzzy Hash: e4a28cfe368c35d3f6cfe1331c0f84c4833605b991313c2d9fce0962746ceb8a
                      • Instruction Fuzzy Hash: 01F0ED30624610DFD7649B38ED046F337ADFFA0305BA0866EE802825A0EF78E801DA90
                      Function 00B12AA0 Relevance: 5.1, APIs: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(6D9FB08F), ref: 00B12AEC
                      • SetLastError.KERNEL32(00B36418,00000000,00000000,000000FF), ref: 00B12B46
                      • GetLastError.KERNEL32(?,?), ref: 00B12B8A
                      • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00B12BD5
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID:
                      • API String ID: 1452528299-0
                      • Opcode ID: 68cb9342001a72da41a796211337904122bc425dadc9d702c95008f7daf5579a
                      • Instruction ID: 3e0ca65ceb20adce97560a7bbdf12e7bc6feddb74364db7b824173a1d64bf2b3
                      • Opcode Fuzzy Hash: 68cb9342001a72da41a796211337904122bc425dadc9d702c95008f7daf5579a
                      • Instruction Fuzzy Hash: 34418AB1904609EFDB14CFA4D944BEEBBF4FF09318F204259E815AB790DBB5A904CB94
                      Function 00B15E60 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00B161DA,6D9FB08F), ref: 00B15E70
                      • SetLastError.KERNEL32(?), ref: 00B15EA0
                      • GetLastError.KERNEL32 ref: 00B15EB4
                      • SetLastError.KERNEL32(?), ref: 00B15EE4
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3776406228.0000000000AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AA0000, based on PE: true
                      • Associated: 0000000A.00000002.3776383382.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776511882.0000000000B35000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B64000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B68000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776640778.0000000000B6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000B9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                      • Associated: 0000000A.00000002.3776803858.0000000000BAF000.00000002.00000001.01000000.00000007.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_aa0000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID:
                      • API String ID: 1452528299-0
                      • Opcode ID: 73794d6e2f38595b6d344adb059d4e849c24c87b2123020721a80f4be20d694c
                      • Instruction ID: 8db40b482a7d0114287046e275d5e4657df861e57d1e431a0583a8f7c293c449
                      • Opcode Fuzzy Hash: 73794d6e2f38595b6d344adb059d4e849c24c87b2123020721a80f4be20d694c
                      • Instruction Fuzzy Hash: 03214CB45016808FDBA4DF68D9C87443FE1BF09324B2153A9D8288F2AAE775D845DF50