Windows Analysis Report
SureDI.exe

Overview

General Information

Sample name:	SureDI.exe
Analysis ID:	1523277
MD5:	1a6a5dbfd0a009f1d1738eb4abd18316
SHA1:	6d1598d23209aec395263376f6fb753100031cae
SHA256:	e8ee9c2ba8f88c3a4c6d3221327c0242c17ad9204f6830e12adfbe6e00981b20
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	49
Range:	0 - 100

Signatures

Loading BitLocker PowerShell Module

Reads the Security eventlog

Reads the System eventlog

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C46 CryptReleaseContext,	0_2_00495C46
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C7E CryptDestroyHash,	0_2_00495C7E
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C98 CryptDestroyKey,	0_2_00495C98
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495DC9 CryptExportKey,	0_2_00495DC9
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,	0_2_0049604C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049620A CryptHashData,	0_2_0049620A
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496296 CryptImportKey,	0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00496320
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	0_2_0049663C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,	0_2_004969CD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	0_2_00496A5A
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	0_2_00496DB9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C46 CryptReleaseContext,	1_2_00495C46
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C7E CryptDestroyHash,	1_2_00495C7E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C98 CryptDestroyKey,	1_2_00495C98
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495DC9 CryptExportKey,	1_2_00495DC9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,	1_2_0049604C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049620A CryptHashData,	1_2_0049620A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496296 CryptImportKey,	1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	1_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	1_2_0049663C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,	1_2_004969CD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	1_2_00496A5A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	1_2_00496DB9

Compliance

Uses 32bit PE files

Source: SureDI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmd	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xaml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf			Jump to behavior

Source: SureDI.exe

Static PE information: certificate valid

Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source:	Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		1_2_004373F3

Networking

Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspxfhttps://go.devexpress.com/Demo_2013_BuyNow_ASP.aspxl
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Chat.aspxgHttps://go.devexpress.com/Demo_2013_GetSupport.aspx
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: svchost.exe, 0000000F.00000002.2932195097.00000249FAA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Rigaku.EresSystem.Monitor.v1.0;component/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://documentation.devexpress.com/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://go.devexpress.com/SupportXBAP.aspx
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/themekeyslhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/carousel/themekeysjhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/rangecontrolclient
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/controls/themekeysphttp://schemas.devexpress.com/winfx
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormatting
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormattingq
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/themekeysxhttp://schemas.devexpress.c
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal0DevExpress.Xpf.Core.ConditionalFormattin
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys0DevExpress.Xpf.Core.ConditionalFormatti
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework#DevExpress.Xpf.Core.WizardFramewo
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframeworkvhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/themekeys:DevExpress.Xpf.DocumentViewerHDevE
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/diagram/internal~http://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dialogs/internalfhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/platform
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/visualelementsnhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/documentviewer/themekeysbhttp://schemas.devexpress.com
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControl
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControlZ
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors$DevExpress.Xpf.Editors.DateNavigator
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar;
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extension
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extensionb
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.Native
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.NativeG
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal-DevExpress.Xpf.Editors.DateNavigator.
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internalthttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor/internalthttp://schemas.devexpress.co
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/gauges/themekeysbhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/grid
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal$DevExpress.Mvvm.UI
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal)DevExpress.Mvvm.UI.Interactivity.Interna
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navbar/themekeysjhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navigation/internalnhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeyslhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/internaldhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/parametersphttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/themekeyszhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/themekeysjhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesignerextensionsvhttp://schemas.devexpre
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richeditextensionslhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/internalphttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduling/themekeyshhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/themekeysdhttp://schemas.devexpress.com/wi
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/navigationlhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/themekeys
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/eressystem/uicommon
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/customfiledialog
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/dscviewerctrl
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/imgviewerctrl
Source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/plugins/dbmanager
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://t2.symcb.com0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcd.com0&
Source: DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: SureDI.exe	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SureDI.exe, 00000001.00000003.2222889116.0000000000680000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000002.2224330579.000000000068D000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000003.2223003927.000000000068C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rigaku.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://documentation.devexpress.com/#WPF/CustomDocument17469
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://documentation.devexpress.com/WPF/11765/Controls-and-Libraries/Data-Grid/Binding-to-Data/Mana
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA933000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA984000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA978000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspx_Https://go.devexpress.com/Demo_2013_B
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxzhttps://go.devexpress.com/Demo_2013_C
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_RegisterTrial.aspx
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.devexpress.com/0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Mono.Cecil/)
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.thawte.com/repository0W

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior

Reads the System eventlog

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496296 CryptImportKey,	0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496296 CryptImportKey,	1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	1_2_00496320

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00489993

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26bb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26bc.mst	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{12226574-52CC-483F-8DB0-E617C91F04D0}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI36C9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26be.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26be.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\1033.MST	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI360D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0044A891	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004782CB	0_2_004782CB
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00478834	0_2_00478834
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040C980	0_2_0040C980
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00498C92	0_2_00498C92
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00408D60	0_2_00408D60
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040CDD0	0_2_0040CDD0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00478DA4	0_2_00478DA4
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00468E1E	0_2_00468E1E
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00458F38	0_2_00458F38
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D090	0_2_0040D090
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00465120	0_2_00465120
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D3F0	0_2_0040D3F0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00479453	0_2_00479453
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D476	0_2_0040D476
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D438	0_2_0040D438
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00409482	0_2_00409482
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D4B6	0_2_0040D4B6
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D600	0_2_0040D600
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046E37B	0_2_0046E37B
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049E300	0_2_0049E300
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046A5E9	0_2_0046A5E9
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0047A8E7	0_2_0047A8E7
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00462CB0	0_2_00462CB0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00472EDD	0_2_00472EDD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0047B063	0_2_0047B063
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046306F	0_2_0046306F
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0042F538	0_2_0042F538
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00463CC5	0_2_00463CC5
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045FE04	0_2_0045FE04
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00408D60	1_2_00408D60
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0044A891	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0042F538	1_2_0042F538
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004782CB	1_2_004782CB
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00478834	1_2_00478834
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040C980	1_2_0040C980
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00498C92	1_2_00498C92
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040CDD0	1_2_0040CDD0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00478DA4	1_2_00478DA4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00468E1E	1_2_00468E1E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00458F38	1_2_00458F38
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D090	1_2_0040D090
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00465120	1_2_00465120
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D3F0	1_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00479453	1_2_00479453
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D476	1_2_0040D476
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D438	1_2_0040D438
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00409482	1_2_00409482
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D4B6	1_2_0040D4B6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D600	1_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046E37B	1_2_0046E37B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049E300	1_2_0049E300
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046A5E9	1_2_0046A5E9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0047A8E7	1_2_0047A8E7
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00462CB0	1_2_00462CB0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00472EDD	1_2_00472EDD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0047B063	1_2_0047B063
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046306F	1_2_0046306F
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00463CC5	1_2_00463CC5
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045FE04	1_2_0045FE04
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B64756F	10_2_00007FFD9B64756F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B63103B	13_2_00007FFD9B63103B
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B631985	13_2_00007FFD9B631985
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B638879	13_2_00007FFD9B638879

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00402CA0 appears 214 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00419D16 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00419426 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00454718 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00452D09 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004546AF appears 468 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00458540 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004115ED appears 115 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00452CDB appears 71 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004546E2 appears 313 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004533D0 appears 131 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00402CA0 appears 213 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00419D16 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00419426 appears 39 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00454718 appears 107 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00452D09 appears 57 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004546AF appears 468 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00458540 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004115ED appears 113 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00452CDB appears 71 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004546E2 appears 313 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004533D0 appears 131 times

PE file does not import any functions

Source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.UserManager.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.Launcher.v1.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.Logging.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Services.DBDataService.v4.0.dll.3.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SureDI.exe, 00000000.00000000.1663445755.0000000000536000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exe, 00000001.00000002.2224022369.0000000000536000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exe	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe

Uses 32bit PE files

Source: SureDI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	Binary or memory string: *.vbproj
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumN"%lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumX%%lXtraSpreadsheetFunctionArgumentNameStringId.SheetValue(%vXtraSpreadsheetFunctionArgumentNameStringId.SheetsReference-%lXtraSpreadsheetFunctionArgumentNameStringId.SignNumber5%lXtraSpreadsheetFunctionArgumentNameStringId.SinHNumber=%jXtraSpreadsheetFunctionArgumentNameStringId.SinNumberE%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber1M%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber2V%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber1_%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber2h%fXtraSpreadsheetFunctionArgumentNameStringId.SlnCostq%fXtraSpreadsheetFunctionArgumentNameStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: zXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnSalvage;a
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SlnSalvage
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: \XtraSpreadsheetFunctionDescriptionStringId.Sln
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnCost
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	Binary or memory string: *.csproj

Source: classification engine

Classification label: sus26.evad.winEXE@20/259@0/1

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00489993

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450BEB lstrcpyW,GetDiskFreeSpaceExW,

0_2_00450BEB

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_004405EF CoCreateInstance,

0_2_004405EF

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_0048829B __EH_prolog3_GS,LoadResource,

0_2_0048829B

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Rigaku

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\SureDI.lnk

Jump to behavior

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Mutant created: NULL
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Mutant created: \Sessions\1\BaseNamedObjects\{63154030-8752-402C-ADD0-9A60549F636B}
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\SureDI.exe

File created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: debuglog	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: runfromtemp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: reboot	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: l/O	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s%s	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: tempdisk1folder	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: eprq	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: ISSetup.dll	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: ISSetup.dll	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Skin	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Startup	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: setup.isn	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: count	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Languages	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: key%d	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Languages	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\0x%04x.ini	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\0x%04x.ini	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\%04x.mst	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\%04x.mst	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: clone_wait	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: debuglog	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: runfromtemp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: reboot	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: l/O	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s%s	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: tempdisk1folder	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: eprq	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: ISSetup.dll	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: ISSetup.dll	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Skin	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Startup	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: setup.isn	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: count	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Languages	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: key%d	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Languages	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\0x%04x.ini	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\0x%04x.ini	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\%04x.mst	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\%04x.mst	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: clone_wait	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891

Source: SureDI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SureDI.exe

File read: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INI

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

File read: C:\Users\user\Desktop\SureDI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SureDI.exe "C:\Users\user\Desktop\SureDI.exe"
Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000
Source: unknown	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe "C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: version.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wldp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: profapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: winsta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dcomp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: msctfui.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: propsys.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\user\Desktop\SureDI.exe

File written: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INI

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: I accept the terms in the license agreement
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmd	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xaml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}

Jump to behavior

Source: SureDI.exe

Static PE information: certificate valid

Source: SureDI.exe

Static file information: File size 100313696 > 1048576

Source: SureDI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source:	Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: Rigaku.Plugins.Launcher.v1.0.dll.3.dr

Static PE information: 0x916A16A1 [Tue Apr 23 16:15:29 2047 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,

0_2_00450F18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00458585 push ecx; ret	0_2_00458598
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045467D push ecx; ret	0_2_00454690
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045CE25 push ebp; ret	0_2_0045CE26
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045B931 push edi; ret	0_2_0045B933
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BA4A push esi; ret	0_2_0045BA4C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BC25 push esi; ret	0_2_0045BC27
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BD0E push edi; ret	0_2_0045BD10
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00458585 push ecx; ret	1_2_00458598
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045467D push ecx; ret	1_2_00454690
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045CE25 push ebp; ret	1_2_0045CE26
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045B931 push edi; ret	1_2_0045B933
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BA4A push esi; ret	1_2_0045BA4C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BC25 push esi; ret	1_2_0045BC27
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BD0E push edi; ret	1_2_0045BD10
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B51D2A5 pushad ; iretd	10_2_00007FFD9B51D2A6
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B63592C push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B6358F2 push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B635945 push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B638123 push ebx; ret	10_2_00007FFD9B63816A
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B644710 push cs; retn 5F9Ch	10_2_00007FFD9B64B85F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B648EE0 pushad ; retf	10_2_00007FFD9B648EF1
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B638DD0 pushad ; ret	10_2_00007FFD9B638E54
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B731B31 push edx; retn 0001h	10_2_00007FFD9B731C5C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730070 push edx; retn 0001h	10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B732800 push edx; retn 0001h	10_2_00007FFD9B73285C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730001 push edx; retn 0001h	10_2_00007FFD9B730004
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730008 push edx; retn 0001h	10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730410 push edx; retn 0001h	10_2_00007FFD9B73042C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730C10 push edx; retn 0001h	10_2_00007FFD9B730CA4
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B734C1F push edx; retn 0001h	10_2_00007FFD9B734C1C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B732824 push edx; retn 0001h	10_2_00007FFD9B73285C

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SureDI.exe	File created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\wac36A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf			Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI\SureDI.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00458F38 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00458F38

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Memory allocated: 1C239D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Memory allocated: 1C2522E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Memory allocated: 216E2C70000 memory reserve \| memory write watch
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Memory allocated: 216FC6F0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Window / User API: threadDelayed 3790	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Window / User API: threadDelayed 6036	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Window / User API: threadDelayed 4932
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Window / User API: threadDelayed 4974

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wac36A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe

Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SureDI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SureDI.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SureDI.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 8052	Thread sleep count: 5816 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8052	Thread sleep count: 3934 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8068	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180	Thread sleep count: 3790 > 30	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180	Thread sleep count: 6036 > 30	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe TID: 792	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2944	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		1_2_004373F3

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_0048C06D GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,

0_2_0048C06D

Source: C:\Windows\System32\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Thread delayed: delay time: 922337203685477

Source: SureDI.exe	Binary or memory string: 2hgFs
Source: svchost.exe, 0000000F.00000002.2932351016.00000249FAA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2930591574.00000249F542A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SureDI.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00456645 IsDebuggerPresent,

0_2_00456645

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_0046723E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0046723E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,

0_2_00450F18

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00412E9E GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,

0_2_00412E9E

Enables debug privileges

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046270D SetUnhandledExceptionFilter,	0_2_0046270D
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00462730
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046270D SetUnhandledExceptionFilter,	1_2_0046270D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00462730

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00449455 __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,

0_2_00449455

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00486444 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,

0_2_00486444

Source: SureDI.exe	Binary or memory string: Shell_TrayWnd
Source: SureDI.exe	Binary or memory string: BTahomaShell_TrayWnd0x0409TjK

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00458171 cpuid

0_2_00458171

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	0_2_0045087D
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00450902
Source: C:\Users\user\Desktop\SureDI.exe	Code function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_004589D8
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,	0_2_00476474
Source: C:\Users\user\Desktop\SureDI.exe	Code function: EnumSystemLocalesW,	0_2_004766E4
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00476740
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004767BD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_00476840
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00476A33
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00476B5B
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00476C08
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00476CDC
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00467A41
Source: C:\Users\user\Desktop\SureDI.exe	Code function: EnumSystemLocalesW,	0_2_00467C20
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00467CA6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	1_2_0045087D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00450902
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	1_2_004589D8
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,	1_2_00476474
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: EnumSystemLocalesW,	1_2_004766E4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00476740
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_004767BD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	1_2_00476840
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00476A33
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00476B5B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_00476C08
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00476CDC
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00467A41
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: EnumSystemLocalesW,	1_2_00467C20
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00467CA6

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00446536 __EH_prolog3_GS,GetLocalTime,SystemTimeToVariantTime,

0_2_00446536

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00430B5D __EH_prolog3_GS,GetVersionExW,_wcscmp,_wcscmp,

0_2_00430B5D

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C46 CryptReleaseContext,	0_2_00495C46
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C7E CryptDestroyHash,	0_2_00495C7E
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495C98 CryptDestroyKey,	0_2_00495C98
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00495DC9 CryptExportKey,	0_2_00495DC9
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,	0_2_0049604C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049620A CryptHashData,	0_2_0049620A
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496296 CryptImportKey,	0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00496320
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	0_2_0049663C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,	0_2_004969CD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	0_2_00496A5A
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	0_2_00496DB9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C46 CryptReleaseContext,	1_2_00495C46
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C7E CryptDestroyHash,	1_2_00495C7E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495C98 CryptDestroyKey,	1_2_00495C98
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00495DC9 CryptExportKey,	1_2_00495DC9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,	1_2_0049604C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049620A CryptHashData,	1_2_0049620A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496296 CryptImportKey,	1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	1_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	1_2_0049663C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,	1_2_004969CD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	1_2_00496A5A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	1_2_00496DB9

Compliance

Uses 32bit PE files

Source: SureDI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmd	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xaml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf			Jump to behavior

Source: SureDI.exe

Static PE information: certificate valid

Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source:	Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		1_2_004373F3

Networking

Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspxfhttps://go.devexpress.com/Demo_2013_BuyNow_ASP.aspxl
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Chat.aspxgHttps://go.devexpress.com/Demo_2013_GetSupport.aspx
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: svchost.exe, 0000000F.00000002.2932195097.00000249FAA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Rigaku.EresSystem.Monitor.v1.0;component/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://documentation.devexpress.com/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://go.devexpress.com/SupportXBAP.aspx
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/themekeyslhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/carousel/themekeysjhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/rangecontrolclient
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/controls/themekeysphttp://schemas.devexpress.com/winfx
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormatting
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormattingq
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/themekeysxhttp://schemas.devexpress.c
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal0DevExpress.Xpf.Core.ConditionalFormattin
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys0DevExpress.Xpf.Core.ConditionalFormatti
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework#DevExpress.Xpf.Core.WizardFramewo
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframeworkvhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/themekeys:DevExpress.Xpf.DocumentViewerHDevE
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/diagram/internal~http://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dialogs/internalfhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/platform
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/visualelementsnhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/documentviewer/themekeysbhttp://schemas.devexpress.com
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControl
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControlZ
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors$DevExpress.Xpf.Editors.DateNavigator
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar;
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extension
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extensionb
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.Native
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.NativeG
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal-DevExpress.Xpf.Editors.DateNavigator.
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internalthttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor/internalthttp://schemas.devexpress.co
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/gauges/themekeysbhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/grid
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal$DevExpress.Mvvm.UI
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal)DevExpress.Mvvm.UI.Interactivity.Interna
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navbar/themekeysjhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navigation/internalnhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeyslhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/internaldhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/parametersphttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/themekeyszhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/themekeysjhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesignerextensionsvhttp://schemas.devexpre
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richeditextensionslhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/internalphttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduling/themekeyshhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/themekeysdhttp://schemas.devexpress.com/wi
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/navigationlhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/themekeys
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/eressystem/uicommon
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/customfiledialog
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/dscviewerctrl
Source: Rigaku.CustomDataDialog.v1.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/infra/imgviewerctrl
Source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr	String found in binary or memory: http://schemas.rigaku.com/slsii/plugins/dbmanager
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://t2.symcb.com0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://tl.symcd.com0&
Source: DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: SureDI.exe	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SureDI.exe, 00000001.00000003.2222889116.0000000000680000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000002.2224330579.000000000068D000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000003.2223003927.000000000068C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rigaku.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://documentation.devexpress.com/#WPF/CustomDocument17469
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://documentation.devexpress.com/WPF/11765/Controls-and-Libraries/Data-Grid/Binding-to-Data/Mana
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA933000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA984000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA978000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspx_Https://go.devexpress.com/Demo_2013_B
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxzhttps://go.devexpress.com/Demo_2013_C
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://go.devexpress.com/Demo_2013_RegisterTrial.aspx
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.devexpress.com/0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Mono.Cecil/)
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr	String found in binary or memory: https://www.thawte.com/repository0W

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior

Reads the System eventlog

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\Rigaku.EresSystem.MonitorService.v1.0	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496296 CryptImportKey,	0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496296 CryptImportKey,	1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	1_2_00496320

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00489993

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26bb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26bc.mst	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{12226574-52CC-483F-8DB0-E617C91F04D0}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI36C9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26be.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d26be.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\1033.MST	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI360D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0044A891	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004782CB	0_2_004782CB
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00478834	0_2_00478834
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040C980	0_2_0040C980
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00498C92	0_2_00498C92
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00408D60	0_2_00408D60
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040CDD0	0_2_0040CDD0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00478DA4	0_2_00478DA4
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00468E1E	0_2_00468E1E
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00458F38	0_2_00458F38
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D090	0_2_0040D090
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00465120	0_2_00465120
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D3F0	0_2_0040D3F0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00479453	0_2_00479453
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D476	0_2_0040D476
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D438	0_2_0040D438
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00409482	0_2_00409482
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D4B6	0_2_0040D4B6
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0040D600	0_2_0040D600
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046E37B	0_2_0046E37B
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0049E300	0_2_0049E300
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046A5E9	0_2_0046A5E9
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0047A8E7	0_2_0047A8E7
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00462CB0	0_2_00462CB0
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00472EDD	0_2_00472EDD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0047B063	0_2_0047B063
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046306F	0_2_0046306F
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0042F538	0_2_0042F538
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00463CC5	0_2_00463CC5
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045FE04	0_2_0045FE04
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00408D60	1_2_00408D60
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0044A891	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0042F538	1_2_0042F538
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004782CB	1_2_004782CB
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00478834	1_2_00478834
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040C980	1_2_0040C980
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00498C92	1_2_00498C92
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040CDD0	1_2_0040CDD0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00478DA4	1_2_00478DA4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00468E1E	1_2_00468E1E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00458F38	1_2_00458F38
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D090	1_2_0040D090
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00465120	1_2_00465120
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D3F0	1_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00479453	1_2_00479453
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D476	1_2_0040D476
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D438	1_2_0040D438
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00409482	1_2_00409482
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D4B6	1_2_0040D4B6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0040D600	1_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046E37B	1_2_0046E37B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0049E300	1_2_0049E300
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046A5E9	1_2_0046A5E9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0047A8E7	1_2_0047A8E7
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00462CB0	1_2_00462CB0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00472EDD	1_2_00472EDD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0047B063	1_2_0047B063
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046306F	1_2_0046306F
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00463CC5	1_2_00463CC5
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045FE04	1_2_0045FE04
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B64756F	10_2_00007FFD9B64756F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B63103B	13_2_00007FFD9B63103B
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B631985	13_2_00007FFD9B631985
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Code function: 13_2_00007FFD9B638879	13_2_00007FFD9B638879

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00402CA0 appears 214 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00419D16 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00419426 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00454718 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00452D09 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004546AF appears 468 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00458540 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004115ED appears 115 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 00452CDB appears 71 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004546E2 appears 313 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: String function: 004533D0 appears 131 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00402CA0 appears 213 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00419D16 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00419426 appears 39 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00454718 appears 107 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00452D09 appears 57 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004546AF appears 468 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00458540 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004115ED appears 113 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 00452CDB appears 71 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004546E2 appears 313 times
Source: C:\Users\user\Desktop\SureDI.exe	Code function: String function: 004533D0 appears 131 times

PE file does not import any functions

Source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.UserManager.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.Launcher.v1.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Plugins.Logging.v4.0.dll.3.dr	Static PE information: No import functions for PE file found
Source: Rigaku.Services.DBDataService.v4.0.dll.3.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SureDI.exe, 00000000.00000000.1663445755.0000000000536000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exe, 00000001.00000002.2224022369.0000000000536000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exe	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe

Uses 32bit PE files

Source: SureDI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	Binary or memory string: *.vbproj
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumN"%lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumX%%lXtraSpreadsheetFunctionArgumentNameStringId.SheetValue(%vXtraSpreadsheetFunctionArgumentNameStringId.SheetsReference-%lXtraSpreadsheetFunctionArgumentNameStringId.SignNumber5%lXtraSpreadsheetFunctionArgumentNameStringId.SinHNumber=%jXtraSpreadsheetFunctionArgumentNameStringId.SinNumberE%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber1M%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber2V%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber1_%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber2h%fXtraSpreadsheetFunctionArgumentNameStringId.SlnCostq%fXtraSpreadsheetFunctionArgumentNameStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: zXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnSalvage;a
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SlnSalvage
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: \XtraSpreadsheetFunctionDescriptionStringId.Sln
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr	Binary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnCost
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr	Binary or memory string: *.csproj

Source: classification engine

Classification label: sus26.evad.winEXE@20/259@0/1

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00489993

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450BEB lstrcpyW,GetDiskFreeSpaceExW,

0_2_00450BEB

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_004405EF CoCreateInstance,

0_2_004405EF

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_0048829B __EH_prolog3_GS,LoadResource,

0_2_0048829B

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Rigaku

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\SureDI.lnk

Jump to behavior

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Mutant created: NULL
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Mutant created: \Sessions\1\BaseNamedObjects\{63154030-8752-402C-ADD0-9A60549F636B}
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\SureDI.exe

File created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: debuglog	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: runfromtemp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: reboot	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: l/O	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s%s	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: tempdisk1folder	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: eprq	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: ISSetup.dll	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: ISSetup.dll	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Skin	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Startup	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: setup.isn	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: count	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Languages	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: key%d	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Languages	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\0x%04x.ini	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\0x%04x.ini	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\%04x.mst	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: %s\%04x.mst	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: clone_wait	0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exe	Command line argument: Setup.cpp	0_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: debuglog	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: runfromtemp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: reboot	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: l/O	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s%s	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: tempdisk1folder	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: eprq	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: ISSetup.dll	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: ISSetup.dll	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Skin	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Startup	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: setup.isn	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: count	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Languages	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: key%d	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Languages	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\0x%04x.ini	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\0x%04x.ini	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\%04x.mst	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: %s\%04x.mst	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: clone_wait	1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Command line argument: Setup.cpp	1_2_0044A891

Source: SureDI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SureDI.exe

File read: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INI

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

File read: C:\Users\user\Desktop\SureDI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SureDI.exe "C:\Users\user\Desktop\SureDI.exe"
Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000
Source: unknown	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe "C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: version.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wldp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: profapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: winsta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dcomp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: msctfui.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: propsys.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\user\Desktop\SureDI.exe

File written: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INI

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: I accept the terms in the license agreement
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmd	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bak	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sql	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xaml	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}

Jump to behavior

Source: SureDI.exe

Static PE information: certificate valid

Source: SureDI.exe

Static file information: File size 100313696 > 1048576

Source: SureDI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source:	Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source:	Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: Rigaku.Plugins.Launcher.v1.0.dll.3.dr

Static PE information: 0x916A16A1 [Tue Apr 23 16:15:29 2047 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,

0_2_00450F18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00458585 push ecx; ret	0_2_00458598
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045467D push ecx; ret	0_2_00454690
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045CE25 push ebp; ret	0_2_0045CE26
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045B931 push edi; ret	0_2_0045B933
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BA4A push esi; ret	0_2_0045BA4C
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BC25 push esi; ret	0_2_0045BC27
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0045BD0E push edi; ret	0_2_0045BD10
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00458585 push ecx; ret	1_2_00458598
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045467D push ecx; ret	1_2_00454690
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045CE25 push ebp; ret	1_2_0045CE26
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045B931 push edi; ret	1_2_0045B933
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BA4A push esi; ret	1_2_0045BA4C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BC25 push esi; ret	1_2_0045BC27
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0045BD0E push edi; ret	1_2_0045BD10
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B51D2A5 pushad ; iretd	10_2_00007FFD9B51D2A6
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B63592C push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B6358F2 push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B635945 push edx; retf	10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B638123 push ebx; ret	10_2_00007FFD9B63816A
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B644710 push cs; retn 5F9Ch	10_2_00007FFD9B64B85F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B648EE0 pushad ; retf	10_2_00007FFD9B648EF1
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B638DD0 pushad ; ret	10_2_00007FFD9B638E54
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B731B31 push edx; retn 0001h	10_2_00007FFD9B731C5C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730070 push edx; retn 0001h	10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B732800 push edx; retn 0001h	10_2_00007FFD9B73285C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730001 push edx; retn 0001h	10_2_00007FFD9B730004
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730008 push edx; retn 0001h	10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730410 push edx; retn 0001h	10_2_00007FFD9B73042C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B730C10 push edx; retn 0001h	10_2_00007FFD9B730CA4
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B734C1F push edx; retn 0001h	10_2_00007FFD9B734C1C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Code function: 10_2_00007FFD9B732824 push edx; retn 0001h	10_2_00007FFD9B73285C

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SureDI.exe	File created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\wac36A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Rigaku\SureDI\License\US\License.rtf			Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI\SureDI.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SureDI.exe

0_2_00458F38

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Memory allocated: 1C239D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Memory allocated: 1C2522E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Memory allocated: 216E2C70000 memory reserve \| memory write watch
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Memory allocated: 216FC6F0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Window / User API: threadDelayed 3790	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Window / User API: threadDelayed 6036	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Window / User API: threadDelayed 4932
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Window / User API: threadDelayed 4974

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SlimDX.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\wupi.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\UpdateSQL.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI360D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngine64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\tbb.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wac36A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8CAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\zlib.net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe

Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SureDI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SureDI.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SureDI.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 8052	Thread sleep count: 5816 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8052	Thread sleep count: 3934 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8068	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180	Thread sleep count: 3790 > 30	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180	Thread sleep count: 6036 > 30	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe TID: 792	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2944	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,		1_2_004373F3

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_0048C06D GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,

0_2_0048C06D

Source: C:\Windows\System32\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Thread delayed: delay time: 922337203685477

Source: SureDI.exe	Binary or memory string: 2hgFs
Source: svchost.exe, 0000000F.00000002.2932351016.00000249FAA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2930591574.00000249F542A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SureDI.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00456645 IsDebuggerPresent,

0_2_00456645

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SureDI.exe

0_2_0046723E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,

0_2_00450F18

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00412E9E GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,

0_2_00412E9E

Enables debug privileges

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_0046270D SetUnhandledExceptionFilter,	0_2_0046270D
Source: C:\Users\user\Desktop\SureDI.exe	Code function: 0_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00462730
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_0046270D SetUnhandledExceptionFilter,	1_2_0046270D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: 1_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00462730

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SureDI.exe	Process created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Process created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Process created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SureDI.exe

0_2_00449455

Source: C:\Users\user\Desktop\SureDI.exe

0_2_00486444

Source: SureDI.exe	Binary or memory string: Shell_TrayWnd
Source: SureDI.exe	Binary or memory string: BTahomaShell_TrayWnd0x0409TjK

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00458171 cpuid

0_2_00458171

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	0_2_0045087D
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00450902
Source: C:\Users\user\Desktop\SureDI.exe	Code function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_004589D8
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,	0_2_00476474
Source: C:\Users\user\Desktop\SureDI.exe	Code function: EnumSystemLocalesW,	0_2_004766E4
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00476740
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004767BD
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_00476840
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00476A33
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00476B5B
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00476C08
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00476CDC
Source: C:\Users\user\Desktop\SureDI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00467A41
Source: C:\Users\user\Desktop\SureDI.exe	Code function: EnumSystemLocalesW,	0_2_00467C20
Source: C:\Users\user\Desktop\SureDI.exe	Code function: GetLocaleInfoW,	0_2_00467CA6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	1_2_0045087D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00450902
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	1_2_004589D8
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,	1_2_00476474
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: EnumSystemLocalesW,	1_2_004766E4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00476740
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_004767BD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	1_2_00476840
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00476A33
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00476B5B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_00476C08
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00476CDC
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00467A41
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: EnumSystemLocalesW,	1_2_00467C20
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe	Code function: GetLocaleInfoW,	1_2_00467CA6

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00446536 __EH_prolog3_GS,GetLocalTime,SystemTimeToVariantTime,

0_2_00446536

Source: C:\Users\user\Desktop\SureDI.exe

Code function: 0_2_00430B5D __EH_prolog3_GS,GetVersionExW,_wcscmp,_wcscmp,

0_2_00430B5D

Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1523277
Product:	CloudBasic
Start time:	12:18:23
Start date:	01.10.2024
Sample:	SureDI.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1a6a5dbfd0a009f1d1738eb4abd18316
SHA1:	6d1598d23209aec395263376f6fb753100031cae
SHA256:	e8ee9c2ba8f88c3a4c6d3221327c0242c17ad9204f6830e12adfbe6e00981b20
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report SureDI.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
SureDI.exe